Skip to main content


公司出口路由器配置

2012-03-28 23:15 浏览: 路由器配置

!

!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname border
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$jXfg$3OY1xeyi4OoLarvTw10AN1
!
aaa new-model
!
!
aaa authentication attempts login 2
aaa authentication fail-message C
The password error,Please try_again

aaa authentication password-prompt Password-Error,try-again!
aaa authentication username-prompt Password:
aaa authentication login manage_access local
!
!
aaa session-id common
memory-size iomem 5
clock timezone gmt 8
!
!
ip cef
no ip domain lookup
ip domain name xiaohe.com
!
!
no ip bootp server
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xiaohe privilege 15 secret 5 $1$jXfg$3OY1xeyi4OoLarvTw10AN1
archive
 log config
  hidekeys

!
!
!
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
!
class-map match-any down-2M
 match access-group name to-vlan10
 match access-group name to-vlan20
class-map match-any down-1M
 match access-group name to-vlan30
class-map match-any 1M
 match access-group name to-vlan30
class-map match-any 2M
 match access-group name to-vlan10
 match access-group name to-vlan20
!
!
policy-map traffic-control-down
 class down-2M
    police 2000000 2500000 conform-action transmit  exceed-action drop 
 class down-1M
    police 1000000 1250000 conform-action transmit  exceed-action drop 
policy-map traffic-control
 class 2M
    police 2000000 2500000 conform-action transmit  exceed-action drop 
 class 1M
    police 1000000 1250000 conform-action transmit  exceed-action drop 
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.0
 ip access-group DefenceVirus in
 ip nat inside
 ip virtual-reassembly
 ip ospf cost 100
 duplex auto
 speed auto
 priority-group 1
 service-policy input traffic-control
 service-policy output traffic-control-down
!
interface FastEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group DefenceVirus in
 ip nat inside
 ip virtual-reassembly
 ip ospf cost 200
 duplex auto
 speed auto
 priority-group 1
 service-policy input traffic-control
 service-policy output traffic-control-down
!
interface FastEthernet1/0
 ip address 222.xx.xx.4 255.255.255.240 secondary
 ip address 222.xx.xx.3 255.255.255.240
 ip access-group Deny_Pri_IP in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2/0
!
interface FastEthernet2/1
!
interface FastEthernet2/2
!
interface FastEthernet2/3
!
interface FastEthernet2/4
!
interface FastEthernet2/5
!
interface FastEthernet2/6
!
interface FastEthernet2/7
!
interface FastEthernet2/8
!
interface FastEthernet2/9
!
interface FastEthernet2/10
!
interface FastEthernet2/11
!
interface FastEthernet2/12
!
interface FastEthernet2/13
!
interface FastEthernet2/14
!
interface FastEthernet2/15
!
interface Vlan1
 no ip address
!
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
 network 222.xx.xx.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 172.16.1.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.10.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.20.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.30.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.40.0 255.255.255.0 192.168.0.2 track 1
ip route 172.16.1.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.10.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.20.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.30.0 255.255.255.0 192.168.1.2 track 2
ip route 172.16.40.0 255.255.255.0 192.168.1.2 track 2
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
!
ip nat pool web 222.xx.xx.4 222.xx.xx.4 netmask 255.255.255.240
ip nat pool internet 222.xx.xx.3 222.xx.xx.3 netmask 255.255.255.240
ip nat inside source list 1 pool internet overload
ip nat inside source list 2 pool internet overload
ip nat inside source list 3 pool internet overload
ip nat inside source list 4 pool internet overload
ip nat inside source list 5 pool internet overload
ip nat inside source list 6 pool internet overload
ip nat inside source list web pool web overload
ip nat inside source static tcp 172.16.40.200 8080 222.xx.xx.4 8080 extendable
ip nat inside source static tcp 172.16.40.200 2700 222.xx.xx.4 2700 extendable
ip nat inside source static tcp 172.16.40.201 21 222.xx.xx.4 21 extendable
ip nat inside source static tcp 172.16.40.201 80 222.xx.xx.4 80 extendable
ip nat inside source static tcp 172.16.40.201 3389 222.xx.xx.4 3389 extendable
!
!
ip access-list standard Deny_Pri_IP
 deny   10.0.0.0 0.255.255.255
 deny   172.16.0.0 0.15.255.255
 deny   192.168.0.0 0.0.255.255
 permit any
!
ip access-list standard web
 permit 172.16.40.0 0.0.0.255
ip access-list extended DefenceVirus
 deny   tcp any any eq 27665
 deny   tcp any any eq 16660
 deny   tcp any any eq 65000
 deny   tcp any any eq 33270
 deny   tcp any any eq 39168
 deny   tcp any any eq 6711
 deny   tcp any any eq 6712
 deny   tcp any any eq 6776
 deny   tcp any any eq 6669
 deny   tcp any any eq 2222
 deny   tcp any any eq 7000
 deny   tcp any any eq 135
 deny   tcp any any eq 136
 deny   tcp any any eq 137
 deny   tcp any any eq 138
 deny   tcp any any eq 139
 deny   tcp any any eq 445
 deny   tcp any any eq 4444
 deny   tcp any any eq 5554
 deny   tcp any any eq 9996
 deny   tcp any any eq 3332
 deny   tcp any any eq 1068
 deny   tcp any any eq 455
 deny   udp any any eq 31335
 deny   udp any any eq 27444
 deny   udp any any eq 135
 deny   udp any any eq 136
 deny   udp any any eq 445
 deny   udp any any eq 4444
 permit ip any any
ip access-list extended to-vlan10
 permit ip any 172.16.10.0 0.0.0.255
ip access-list extended to-vlan20
 permit ip any 172.16.20.0 0.0.0.255
ip access-list extended to-vlan30
 permit ip any 172.16.30.0 0.0.0.255
ip sla 1
 icmp-echo 192.168.0.2 source-interface FastEthernet0/0
 timeout 999
 frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 192.168.1.2 source-interface FastEthernet0/1
 timeout 999
 frequency 3
ip sla schedule 2 life forever start-time now
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 2 permit 172.16.10.0 0.0.0.255
access-list 3 permit 172.16.20.0 0.0.0.255
access-list 4 permit 172.16.30.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 110 deny   udp any any eq snmptrap
access-list 110 deny   udp any any eq snmp
access-list 110 permit ip any any
access-list 110 deny   tcp any any eq telnet
access-list 110 deny   tcp any any range exec cmd
access-list 110 deny   tcp any any eq sunrpc
access-list 110 deny   udp any any eq sunrpc
access-list 110 deny   tcp any any range 135 445
access-list 110 deny   tcp any any eq ftp
access-list 110 deny   icmp any any echo log
access-list 110 deny   icmp any any redirect log
access-list 110 deny   icmp any any mask-request log
access-list 110 permit icmp any any
access-list 110 permit icmp any any echo
access-list 110 deny   udp any any eq 33400
access-list 110 permit udp any any eq 33400
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 192.168.2.0 0.0.0.255 any
access-list 110 deny   ip 224.0.0.0 0.255.255.255 any
access-list 110 deny   ip 1.0.0.0 0.255.255.255 any
access-list 110 deny   ip 2.0.0.0 0.255.255.255 any
access-list 110 deny   ip 5.0.0.0 0.255.255.255 any
access-list 110 deny   ip 14.0.0.0 0.255.255.255 any
access-list 110 deny   ip 23.0.0.0 0.255.255.255 any
access-list 110 deny   ip 27.0.0.0 0.255.255.255 any
access-list 110 deny   ip 31.0.0.0 0.255.255.255 any
access-list 110 deny   ip 36.0.0.0 0.255.255.255 any
access-list 110 deny   ip 37.0.0.0 0.255.255.255 any
access-list 110 deny   ip 39.0.0.0 0.255.255.255 any
access-list 110 deny   ip 42.0.0.0 0.255.255.255 any
access-list 110 deny   ip 46.0.0.0 0.255.255.255 any
access-list 110 deny   ip 49.0.0.0 0.255.255.255 any
access-list 110 deny   ip 50.0.0.0 0.255.255.255 any
access-list 110 deny   ip 100.0.0.0 0.255.255.255 any
access-list 110 deny   ip 101.0.0.0 0.255.255.255 any
access-list 110 deny   ip 102.0.0.0 0.255.255.255 any
access-list 110 deny   ip 103.0.0.0 0.255.255.255 any
access-list 110 deny   ip 104.0.0.0 0.255.255.255 any
access-list 110 deny   ip 105.0.0.0 0.255.255.255 any
access-list 110 deny   ip 106.0.0.0 0.255.255.255 any
access-list 110 deny   ip 107.0.0.0 0.255.255.255 any
access-list 110 deny   ip 175.0.0.0 0.255.255.255 any
access-list 110 deny   ip 176.0.0.0 0.255.255.255 any
access-list 110 deny   ip 177.0.0.0 0.255.255.255 any
access-list 110 deny   ip 179.0.0.0 0.255.255.255 any
access-list 110 deny   ip 181.0.0.0 0.255.255.255 any
access-list 110 deny   ip 182.0.0.0 0.255.255.255 any
access-list 110 deny   ip 185.0.0.0 0.255.255.255 any
access-list 110 deny   ip 198.18.0.0 0.1.255.255 any
access-list 110 deny   ip 223.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.0.255.255 any
access-list 110 remark Other bogons deny ip 224.0.0.0 15.255.255.255 any
access-list 110 remark Other bogons deny ip 240.0.0.0 15.255.255.255 any
access-list 110 remark Other bogons deny ip 0.0.0.0 0.255.255.255 any
access-list 110 remark Other bogons deny ip 169.254.0.0 0.0.255.255 any
access-list 110 remark Other bogons deny ip 192.0.2.0 0.0.0.255 any
access-list 110 remark permit all other traffic permit ip any any
priority-list 1 protocol ip high tcp telnet
priority-list 1 protocol ip low tcp ftp
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd C
This Router is for xiaohe and thank you again!

!
line con 0
 logging synchronous
 login authentication manage_access
line aux 0
line vty 0 4
 login authentication manage_access
 transport input telnet
!
ntp clock-period 17207853
ntp source FastEthernet1/0
ntp server 129.6.15.28
!
end

本文出自 “yexusky' b109” 博客,请务必保留此出处http://yexusky.blog.51cto.com/223988/818722