Skip to content

Instantly share code, notes, and snippets.

@sorah sorah/kotori.config
Created May 10, 2015

Embed
What would you like to do?
! NEC Portable Internetwork Core Operating System Software
! IX Series IX2010 (magellan-sec) Software, Version 8.3.49, RELEASE SOFTWARE
! Compiled Nov 25-Fri-2011 10:29:23 JST #1
! Current time May 11-Mon-2015 03:53:50 JST
!
!
hostname kotori
timezone +09 00
terminal default-length 0
terminal default-width 120
terminal timeout 10
terminal timestamp datetime
terminal speed 38400
!
!
!
username root password hash DEADBEEF administrator
!
!
!
ntp ip enable
ntp ipv6 enable
ntp server 133.243.238.244 source FastEthernet0/0.1
ntp retry 2
ntp interval 120
!
!
!
logging buffered 131072
logging subsystem ntp warn
logging subsystem flt warn
logging subsystem nat warn
logging subsystem ppoe warn
logging subsystem ppp warn
access-list m-allow-v4v6 permit src any dest any type ipv6
access-list m-allow-v4v6 permit src any dest any type ip
!
!
ip ufs-cache enable
ip route default FastEthernet0/0.2
ip route 192.168.96.0/19 FastEthernet0/1.1
ip access-list allow-all permit ip src any dest any
ip access-list allow-console permit ip src 192.168.96.0/19 dest any
ip access-list allow-ping permit icmp echo src any dest any
ip access-list allow-ping permit icmp echo-reply src any dest any
ip access-list allow-ping permit icmp ttl-exceeded src any dest any
ip access-list allow-ping permit icmp time-exceeded src any dest any
ip access-list allow-ping permit icmp host-unknown src any dest any
ip access-list allow-ping permit icmp network-unknown src any dest any
ip access-list allow-ping permit icmp port-unreachable src any dest any
ip access-list allow-ping permit icmp packet-too-big src any dest any
ip access-list allow-ping permit icmp unreachable src any dest any
ip access-list allow-ping permit icmp net-unreachable src any dest any
ip access-list allow-ping permit icmp host-unreachable src any dest any
ip access-list allow-ping permit icmp protocol-unreachable src any dest any
ip access-list block-crs-home permit ip src any dest 192.168.96.1/32
ip access-list block-crs-home permit ip src any dest 192.168.0.10/32
ip access-list block-crs-home permit ip src any dest 192.168.32.1/32
ip access-list block-crs-home permit ip src any dest 192.168.128.1/32
ip access-list block-crs-home permit ip src any dest 192.168.160.1/32
ip access-list block-crs-home permit ip src any dest 172.30.96.1/32
ip access-list block-crs-home permit ip src 192.168.96.1/32 dest 192.168.0.0/16
ip access-list block-crs-home permit ip src 192.168.0.10/32 dest 192.168.0.0/16
ip access-list block-crs-home permit ip src 192.168.32.1/32 dest 192.168.0.0/16
ip access-list block-crs-home permit ip src 192.168.128.1/32 dest 192.168.0.0/16
ip access-list block-crs-home permit ip src 192.168.160.1/32 dest 192.168.0.0/16
ip access-list block-crs-home permit ip src 172.30.96.1/32 dest 192.168.0.0/16
ip access-list block-crs-home deny ip src 192.168.0.0/16 dest 192.168.0.0/16
ip access-list clients permit ip src 192.168.32.0/19 dest any
ip access-list clients permit ip src 192.168.128.0/19 dest any
ip access-list clients permit ip src 192.168.160.0/19 dest any
ip access-list clients permit ip src 172.30.96.0/24 dest any
ip access-list deny-all deny ip src any dest any
ip access-list deny-to-intl deny ip src any dest 10.0.0.0/8
ip access-list fixed-ext-ip permit ip src 192.168.0.0/19 dest any
ip access-list fixed-ext-ip permit ip src 192.168.96.0/19 dest any
ip access-list monitors permit ip src 10.0.0.1/32 dest any
ip access-list monitors permit ip src 10.2.0.1/32 dest any
ip access-list monitors permit ip src 192.168.96.0/19 dest any
ip access-list monitors permit ip src 192.168.128.0/19 dest any
ip access-list sonet-dy-ext-ip permit ip src 192.168.0.4/32 dest any
ip access-list svc-oakland permit tcp src any sport any dest 192.168.96.10/32 dport eq 8888
ip access-list svc-oakland permit tcp src any sport any dest 172.30.96.2/31 dport any
ip access-list svc-oakland permit tcp src any sport any dest 192.168.96.10/32 dport eq 22
ip access-list svc-oakland permit tcp src any sport any dest 192.168.96.10/32 dport eq 80
ip access-list svc-oakland permit tcp src any sport any dest 192.168.96.10/32 dport eq 443
ip access-list dynamic dyn-all access allow-all
!
!
ipv6 ufs-cache enable
ipv6 access-list v6-allow-all permit ip src any dest any
ipv6 access-list v6-allow-ndp permit icmp neighbor-advertisement src any dest any
ipv6 access-list v6-allow-ndp permit icmp neighbor-solicitation src any dest any
ipv6 access-list v6-allow-ndp permit icmp router-solicitation src any dest any
ipv6 access-list v6-allow-ndp permit icmp router-advertisement src any dest any
ipv6 access-list v6-allow-ping permit icmp echo src any dest any
ipv6 access-list v6-allow-ping permit icmp echo-reply src any dest any
ipv6 access-list v6-deny-all deny ip src any dest any
ipv6 access-list v6-oakland permit tcp src any sport any dest-domain 2409:10:2040:500::beef dport eq 80
ipv6 access-list v6-oakland permit tcp src any sport any dest-domain 2409:10:2040:500::beef dport eq 443
ipv6 access-list v6-oakland permit tcp src any sport any dest-domain 2409:10:2040:500::beef dport eq 22
ipv6 access-list dynamic v6-dyn-all access v6-allow-all
!
!
snmp-agent ip enable
snmp-agent ip community public monitors
!
bridge irb enable
no bridge 1 bridge ip
!
!
ip name-server 192.168.96.10
ip name-server 8.8.8.8
ipv6 name-server 2409:10:2040:500::beef
ipv6 name-server 2404:1a8:7f01:b::3
dns cache enable
dns cache lifetime 3600
dns ncache lifetime 60
!
!
telnet-server ip enable
telnet-server ip access-list allow-console
!
!
!
!
!
!
!
!
!
route-map rmap permit 10
match ip address access-list sonet-dy-ext-ip
set interface FastEthernet0/0.3
!
route-map rmap permit 100
match ip address access-list fixed-ext-ip
set interface FastEthernet0/0.1
!
ppp profile iij-fiberaccess-nf
authentication myname xxx
authentication password xxx xxx
!
ppp profile sonet
authentication myname xxx
authentication password xxx xxx
!
ppp profile sonet-fixed
authentication myname xxx
authentication password xxx xxx
!
device FastEthernet0/0
!
device FastEthernet0/1
!
device FastEthernet1/0
!
device BRI1/0
isdn switch-type hsd128k
!
interface FastEthernet0/0.0
filter m-allow-v4v6 1 in
no ip address
ipv6 enable
ipv6 address autoconfig receive-default
bridge-group 1
bridge ipv6 filter v6-allow-ndp 100 in
bridge ipv6 filter v6-allow-all 10000 in
no shutdown
!
interface FastEthernet0/1.0
no ip address
no shutdown
!
interface FastEthernet1/0.0
no ip address
shutdown
!
interface BRI1/0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
interface FastEthernet0/0.1
encapsulation pppoe
auto-connect
ppp binding sonet-fixed
ip address ipcp
ip napt enable
ip napt translation max-entries 65535
ip napt static 192.168.96.10 tcp 22
ip napt static 192.168.96.10 tcp 80
ip napt static 192.168.96.10 tcp 443
ip napt static 192.168.96.10 tcp 8888
ip filter svc-oakland 200 in
ip filter allow-ping 9000 in
ip filter deny-all 10000 in
ip filter dyn-all 100 out
bridge ipv6 filter v6-dyn-all 9000 out
no shutdown
!
interface FastEthernet0/0.2
encapsulation pppoe
auto-connect
ppp binding iij-fiberaccess-nf
ip address ipcp
ip napt enable
ip napt translation max-entries 65535
ip napt service any 172.20.96.2 none any any
ip filter svc-oakland 200 in
ip filter allow-ping 9000 in
ip filter deny-all 10000 in
ip filter dyn-all 100 out
no shutdown
!
interface FastEthernet0/0.3
encapsulation pppoe
auto-connect
ppp binding sonet
ip address ipcp
ip napt enable
ip napt translation max-entries 65535
ip filter allow-ping 9000 in
ip filter deny-all 10000 in
ip filter dyn-all 100 out
no shutdown
!
interface FastEthernet0/1.1
encapsulation dot1q 1 tpid 8100
filter m-allow-v4v6 1 in
auto-connect
ip address 192.168.96.1/19
ip filter block-crs-home 100 in
ip filter allow-all 10000 in
ip filter block-crs-home 100 out
ip filter allow-all 10000 out
ip policy route-map rmap
ipv6 enable
bridge-group 1
bridge ipv6 filter v6-dyn-all 9000 in
bridge ipv6 filter v6-allow-ping 100 out
bridge ipv6 filter v6-allow-ndp 9500 out
bridge ipv6 filter v6-deny-all 10000 out
no shutdown
!
interface FastEthernet0/1.2
encapsulation dot1q 100 tpid 8100
auto-connect
ip address 192.168.0.10/19
ip filter block-crs-home 100 in
ip filter allow-all 10000 in
ip filter block-crs-home 100 out
ip filter allow-all 10000 out
ip policy route-map rmap
bridge-group 1
bridge ipv6 filter v6-dyn-all 9000 in
bridge ipv6 filter v6-allow-ndp 9500 out
bridge ipv6 filter v6-allow-all 10000 out
no shutdown
!
interface FastEthernet0/1.3
encapsulation dot1q 200 tpid 8100
auto-connect
ip address 192.168.32.1/19
ip filter block-crs-home 100 in
ip filter allow-all 10000 in
ip filter block-crs-home 100 out
ip filter allow-all 10000 out
ip policy route-map rmap
bridge-group 1
bridge ipv6 filter v6-dyn-all 9000 in
bridge ipv6 filter v6-allow-ping 100 out
bridge ipv6 filter v6-allow-ndp 9500 out
bridge ipv6 filter v6-deny-all 10000 out
no shutdown
!
interface FastEthernet0/1.4
encapsulation dot1q 300 tpid 8100
auto-connect
ip address 192.168.128.1/19
ip filter block-crs-home 100 in
ip filter allow-all 10000 in
ip filter block-crs-home 100 out
ip filter allow-all 10000 out
ip policy route-map rmap
bridge-group 1
bridge ipv6 filter v6-dyn-all 9000 in
bridge ipv6 filter v6-allow-ndp 9500 out
bridge ipv6 filter v6-deny-all 10000 out
no shutdown
!
interface FastEthernet0/1.5
encapsulation dot1q 400 tpid 8100
auto-connect
ip address 192.168.160.1/19
ip filter block-crs-home 100 in
ip filter allow-all 10000 in
ip filter block-crs-home 100 out
ip filter allow-all 10000 out
ip policy route-map rmap
bridge-group 1
bridge ipv6 filter v6-dyn-all 9000 in
bridge ipv6 filter v6-allow-ndp 9500 out
bridge ipv6 filter v6-deny-all 10000 out
no shutdown
!
interface FastEthernet0/1.6
encapsulation dot1q 10 tpid 8100
auto-connect
ip address 172.30.96.1/19
ip napt enable
ip policy route-map rmap
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.