Example C1 Border Router Configuration Example

version 12.0 service nagle no service pad service tcp-keepalives-in service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption !

hostname border-router !

boot system flash c7200-k4p-mz.120-10.S2

boot system flash !

logging buffered 16384 debugging aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ !

enable secret shhhhhthisisasecret !

clock timezone GMT 0 ip subnet-zero ip cef no ip source-route no ip finger ip telnet source-interface LoopbackO ip tftp source-interface LoopbackO ip ftp source-interface Loopback0 ip ftp username cisco ip ftp password shhhhsecret no ip bootp server !

! Set up DNS - note that one secondary NS is hosted by my upstream ISP ip domain-name net.galaxy ip name-server 220.144.159.1 ip name-server 220.144.159.2

ip name-server 219.10.2.1 !

! SSH support ip ssh time-out 120

ip ssh authentication-retries 3 !

interface Loopback0 description Loopback interface on border-router ip address 220.144.159.192 255.255.255.255 no ip directed-broadcast

interface FastEthernet0/0 description Ethernet to Core1 (x-over ethernet) ip address 220.144.159.65 255.255.255.252 no ip redirects no ip directed-broadcast no ip proxy-arp ip route-cache flow

interface Serial1/0 description 256Kb HDLC link to Buzz Internet bandwidth 256

ip address 219.10.1.2 255.255.255.252

ip access-group 100 in ip access-group 101 out no ip redirects no ip directed-broadcast ip route-cache flow no fair-queue

interface Serial1/1

description 512Kb HDLC link to Whoosh Internet bandwidth 512

ip address 219.50.10.2 255.255.255.252 ip access-group 100 in ip access-group 101 out no ip redirects no ip directed-broadcast ip route-cache flow no fair-queue

interface FastEthernet2/0 description Ethernet to Core2 (x-over ethernet) ip address 220.144.159.69 255.255.255.252 no ip redirects no ip directed-broadcast no ip proxy-arp ip route-cache flow

router ospf 100 network 219.50.10.0 0.0.0.3 area 0 network 219.10.1.0 0.0.0.3 area 0 network 220.144.159.64 0.0.0.7 area 0 network 220.144 159.192 0.0.0.0 area 0 passive-interface Serial1/0 passive-interface Serial1/1 passive-interface Loopback0 log-adjacency-changes

router bgp 64511 no synchronization bgp log-neighbor-changes ! Use peer-groups - more efficient neighbor core-ibgp peer-group neighbor core-ibgp remote-as 64511 neighbor core-ibgp update-source Loopback0 neighbor core-ibgp password BGPsecretPW neighbor core-ibgp send-community

! Get full routing table from both upstreams - block RFC1918+ address space inbound

! only announce my address block outbound neighbor 219.10.1.2 remote-as 64400

neighbor 219.10.1.2 description Connection to Buzz Internet neighbor 219.10.1.2 prefix-list infilter in neighbor 219.10.1.2 prefix-list outfilter out neighbor 219.10.1.2 password BuzzSecretPW neighbor 219.50.10.1 remote-as 64500

neighbor 219.50.10.1 description Connection to Whoosh Internet neighbor 219.50.10.1 prefix-list infilter in neighbor 219.50.10.1 prefix-list outfilter out neighbor 219.50.10.1 password WhooshSecretPW ! iBGP with core routers - using route reflectors neighbor 220.144.159.193 peer-group core-ibgp neighbor 220.144.159.193 description Core1 neighbor 220.144.159.194 peer-group core-ibgp neighbor 220.144.159.194 description Core2 no auto-summary

ip classless ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 220.144.128.0 255.255.224.0 Null0

ip tacacs source-interface LoopbackO ip bgp-community new-format !

no logging console logging trap debugging logging source-interface LoopbackO

logging 220.144.159.129

! SNMP access-list access-list 1 permit 220.144.159.129 access-list 1 permit 220.144.159.130 access-list 1 deny any log

! INBOUND access-list on external interfaces ! BLOCK THE MARTIANS

access-list 100 deny access-list 100 deny access-list 100 deny access-list 100 deny access-list 100 deny access-list 100 deny access-list 100 deny ip 10.0.0.0 0.255.255. ip 127.0.0.0 0.255.255 ip 172.16.0.0 0.15.255 ip 192.168.0.0 0.0.255 ip 220.144.128.0 0.0.3 ip any 0.0.0.255 255.2 ip any 0.0.0.0 255.255

! ACCESS TO SERIAL PORTS

access-list 100 permit icmp any host 219.10.1

access-list 100 permit icmp any host 219.50.1

access-list 100 permit icmp any 220.144.128.0

access-list 100 permit udp any host 219.10.1.

access-list 100 permit udp any host 219.50.10

access-list 100 deny ip any host 2

access-list 100 deny ip any host 2

access-list 100 permit tcp any 220.1 ! SSH

255 any .255 any .255 any .255 any 1.255 any 55.255.0 .255.0

access-list 100 permi ! LDAP

access-list 100 permi ! HTTPS

access-list 100 permi ! NFS

access-list 100 deny ! NFS

access-list 100 deny ! X

access-list 100 deny tcp any 220.144.128.0

10

1.2

log

50

10.

2

log

12 8

.0

0

.0.

31

255

established

12 8

.0

0

.0.

31

255

eq

22

12 8

.0

0

.0.

31

255

eq

ftp

128

.0

0

.0.

31

255

eq

ftp-data

128

.0

0

.0.

31

255

eq

ident

128

.0

0

.0.

31

255

eq

ntp

128

.0

0

.0.

31

255

eq

smtp

128

.0

0

.0.

31

255

eq

www

128

.0

0

.0.

31

255

eq

pop3

128

.0

0

.0.

31

255

eq

143

128

.0

0

.0.

31

255

eq

389

128

.0

0

.0.

31

255

eq

443

128

.0

0

.0.

31

255

eq

2049

log

128

.0

0

.0.

31

255

eq

2049

log

128

.0

0

.0.

31

255

eq

6000

log

128

.0

0

.0.

31

255

gt

1023

128

.0

0

.0.

31

255

gt

1023

rfaces

access-list 100 deny ip any any log

! OUTBOUND access-list on external int ! My address block access-list 101 permit ip 220.144.128.0 0.0.31.255 any

! and external facing interfaces access-list 101 permit ip host 219.10.1.2 any access-list 101 permit ip host 219.50.10.2 any access-list 101 deny ip any any log ! VTY access-list access-list 198 permit ip 220.144.159.128 0.0.0.63 any access-list 198 permit ip 220.144.159.192 0.0.0.63 any loopbacks access-list 198 deny ip any any log

! Industry convention is that acl 199 blocks everything access-list 199 deny ip any any log !

! BGP INBOUND filters ip prefix-list infilter description Networks which shouldn't be accepted ip prefix-list infilter deny 0.0.0.0/8 le 32

ip prefix-list infilter deny 10.0.0.0/8 le 32

ip prefix-list infilter deny 127.0.0.0/8 le 32

ip prefix-list infilter deny 169.254.0.0/16 le 32

ip prefix-list infilter deny 172.16.0.0/12 le 32

ip prefix-list infilter deny 192.0.2.0/24 le 32

ip prefix-list infilter deny 192.168.0.0/16 le 32

ip prefix-list infilter deny 220.144.128.0/19 le 32

ip prefix-list infilter deny 224.0.0.0/3 le 32

ip prefix-list infilter deny 0.0.0.0/0 ge 25

ip prefix-list infilter permit 0.0.0.0/0 le 32

I NOC systems I Router

! BGP OUTBOUND filters ip prefix-list outfilter description Networks which should be announced to upstreams ip prefix-list outfilter permit 220.144.128.0/19 !

tacacs-server host 220.144.159.129 tacacs-server key SecretToo snmp-server community NotTelling RO 1 snmp-server location Somewhere snmp-server contact Network Operations Center <[email protected]>

snmp-server enable traps snmp snmp-server host 220.144.159.130 SecretToo banner login A

Authorized Access Only

This system is the property of Galaxy Internet

Disconnect IMMEDIATELY if you are not an authorized user! Contact [email protected] +98 765 4321 for help.

line con 0 exec-timeout 3 0 transport preferred none transport input none transport output telnet line aux 0 transport preferred none transport input none transport output telnet line vty 0 4 access-class 198 in exec-timeout 0 0 transport preferred none transport input telnet ssh transport output telnet

! Where Router core-dumps go exception protocol ftp exception dump 220.144.159.129 ! NTP configuration ntp authentication-key 1 md5 secretAlso ntp authenticate ntp trusted-key 1

ntp source Loopback0

ntp server 219.10.1.1

ntp peer 220.144.159.1 key 1

ntp server 219.50.10.1

Was this article helpful?

0 0

Post a comment