-
Notifications
You must be signed in to change notification settings - Fork 0
/
ix2105-template.txt
144 lines (127 loc) · 4.06 KB
/
ix2105-template.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
hostname <%= my["hostname"] %>
username <%= common["user"] %> password plain 0 <%= common["password"] %>
<%# syslog関連 %>
logging buffered 4096
logging subsystem all warn
logging timestamp datetime
syslog facility local7
syslog id hostname
syslog ip enable
<% common["syslog-servers"].each do |syslog_server| %>
syslog ip host <%= syslog_server %>
<% end %>
syslog ip source <%= my["mgmt-addr-host"] %>
syslog timestamp datetime
<%# SSH/telnet %>
ssh-server ip access-list remote_access
ssh-server ip enable
telnet-server ip enable
<%# ntp %>
ntp ip enable
ntp interval 3600
ntp retry 10
ntp server <%= common["ntp-server"] %>
<%# snmp %>
snmp-agent ip enable
snmp-agent ip community <%= common["snmp-community"] %>
<% common["snmp-servers"].each do |snmp_server| %>
snmp-agent ip host <%= snmp_server %> <%= common["snmp-community"] %> version 2
<% end %>
snmp-agent ip trap-source GigaEthernet1.1
<%# DHCPリレー %>
ip dhcp-relay enable
<%# ルーティング関連 %>
ip ufs-cache enable
ipv6 ufs-cache enable
ip ufs-cache max-entries 65535
ipv6 ufs-cache max-entries 65535
ip cache-size 65535
ipv6 cache-size 20200
ip route default Tunnel0.0
<% if my["pppoe-id"] and my["pppoe-password"] %>
ip route <%= my["ipsec-peer"] %>/32 GigaEthernet0.1
<% else %>
ip route <%= my["ipsec-peer"] %>/32 GigaEthernet0.0 dhcp
<% end %>
<%# フィルタ %>
ip access-list remote_access permit ip src 10.200.0.0/16 dest any
ip access-list sec-list permit ip src any dest any
ip access-list user_acl deny ip src <%= my["user-prefix"] %> dest <%= my["mgmt-prefix"] %>
ip access-list user_acl permit ip src any dest any
<%# IKE関連 %>
ike initial-contact always
ike proposal conbu_prop encryption aes-256 hash sha2-512 group 2048-bit
ike policy conbu_ike peer <%= my["ipsec-peer"] %> key <%= common["ipsec-key"] %> mode aggressive conbu_prop
ike keepalive conbu_ike 10 3
ike local-id conbu_ike fqdn <%= my["ipsec-local-id"] %>
ike remote-id conbu_ike fqdn <%= my["ipsec-remote-id"] %>
ike suppress-dangling conbu_ike
ike nat-traversal policy conbu_ike
ipsec autokey-map conbu_ipsec_seg sec-list peer <%= my["ipsec-peer"] %> secprop pfs 2048-bit
ipsec autokey-proposal secprop esp-aes-256 esp-sha2-512
ipsec rekey remaining-lifetime default second 30
ipsec local-id conbu_ipsec_seg <%= my["ipsec-local-net"] %>
ipsec remote-id conbu_ipsec_seg 0.0.0.0/0
no ipsec ike-passthru
<%# watch-group 関連 %>
watch-group wg-cloud-01 10
event 10 ip unreach-host <%= my["ipsec-peer"] %> Tunnel0.0 source Tunnel0.0
action 10 ipsec clear-sa TUnnel0.0 policy conbu_ipsec_seg
probe-counter variance 3
probe-counter restorer 5
probe-counter watch 3
probe-timer restorer 60
probe-timer variance 5
probe-timer wait 3
network-monitor wg-cloud-01 enable
<%# PPPoE 関連 %>
<% if my["pppoe-ie"] and my["pppoe-password"] %>
ppp profile pppprofile0
authentication myname <%= my["pppoe-id"] %>
authentication password <%= my["pppoe-id"] %> <%= my["pppoe-password"] %>
<% end %>
<%# 上流 %>
interface GigaEthernet0.0
<% if my["pppoe-id"] and ["pppoe-password"] %>
<%# PPPoE IPv4でアドレスをもらう %>
description PPPoE0
encapsulation pppoe
auto-connect
ppp binding pppprofile0
ip address ipcp
ip mtu 1454
ip tcp adjust-mss auto
no shutdown
<% else %>
<%# DHCPでアドレスをもらう %>
ip address dhcp
no shutdown
<% end %>
!
<%# 下流(MGMT): タグは3000 %>
interface GigaEthernet1.1
description MANAGEMENT
encapsulation dot1q 3000 tpid 8100
ip address <%= my["mgmt-prefix"] %>
ip dhcp-relay server <%= common["dhcp-server"] %> source <%= my["mgmt-addr-host"] %>
no shutdown
!
<%# 下流(USER): タグは3001 %>
interface GigaEthernet1.2
description USER
encapsulation dot1q 3001 tpid 8100
ip address <%= my["user-prefix"] %>
ip dhcp-relay server <%= common["dhcp-server"] %> source <%= my["user-addr-host"] %>
ip filter user_acl 1 in
no shutdown
!
<%# IPsecトンネル %>
interface Tunnel0.0
description ToCloud
tunnel mode ipsec
ip unnumbered GigaEthernet1.1
ip mtu 1280
ip tcp adjust-mss auto
ipsec policy tunnel conbu_ipsec_seg df-bit ignore pre-fragment out
no shutdown
!