728x90

 

SAISEI Config

stm1wins# show running_config
#
#
netflow_sender record
no description
no dynamic
max_flow_rate 0
name record
sample_rate 1
no policies
minimum_flow_size 0
no hidden
minimum_flow_duration 0.000
type csv
exit
#
#
ingress_flow_class games
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class games
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name games
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
required_groups games
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class other
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class other
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name other
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
no required_groups
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class speedtest
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class speedtest
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name speedtest
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
required_groups speedtest
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class streaming
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class streaming
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name streaming
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
required_groups streaming
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class updates
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class updates
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name updates
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
required_groups updates
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class voip
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class voip
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
no applications
minimum_distress 0
name voip
no minimum_packets
no maximum_total_bytes
acl
top_host dontcare
no reputation
required_groups voip
match_rate_plan
no threat_types
no maximum_duration
exit
ingress_flow_class Youtube
geolocation
no minimum_rate
no next_hop_ases
no dynamic
no maximum_packets
egress_flow_class Youtube
no minimum_total_bytes
no excluded_groups
no threat_level
no capture
no bad_source_internal
no maximum_rate
no final_ases
no bad_source_external
no hidden
initial_rate_plan
no minimum_duration
no description
applications youtube
minimum_distress 0
name Youtube
no minimum_packets
no maximum_total_bytes
acl Youtube
top_host dontcare
no reputation
no required_groups
match_rate_plan
no threat_types
no maximum_duration
exit
#
#
egress_policy_map external1.any_epm
no description
no dynamic
no hidden
name external1.any_epm
egress_policy games
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class games
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name games
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy other
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class other
no child_equalisation
downstream_cir 0
host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name other
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy speedtest
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class speedtest
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority override
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name speedtest
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy streaming
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class streaming
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name streaming
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 30.0
exit
egress_policy updates
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class updates
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority background
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name updates
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy voip
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class voip
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name voip
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 10.0
exit
egress_policy Youtube
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class Youtube
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name Youtube
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
exit
egress_policy_map external1_epm
no description
no dynamic
no hidden
name external1_epm
egress_policy games
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class games
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name games
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy other
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class other
no child_equalisation
downstream_cir 0
host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name other
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy speedtest
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class speedtest
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority override
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name speedtest
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy streaming
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class streaming
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name streaming
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 30.0
exit
egress_policy updates
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class updates
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority background
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name updates
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy voip
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class voip
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name voip
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 10.0
exit
egress_policy Youtube
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class Youtube
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name Youtube
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
exit
egress_policy_map internal1.any_epm
no description
no dynamic
no hidden
name internal1.any_epm
egress_policy games
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class games
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name games
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy other
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class other
no child_equalisation
downstream_cir 0
host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name other
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy speedtest
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class speedtest
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority override
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name speedtest
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy streaming
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class streaming
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name streaming
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 30.0
exit
egress_policy updates
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class updates
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority background
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name updates
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy voip
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class voip
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name voip
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 10.0
exit
egress_policy Youtube
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class Youtube
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name Youtube
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
exit
egress_policy_map internal1_epm
no description
no dynamic
no hidden
name internal1_epm
egress_policy games
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class games
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name games
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy other
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class other
no child_equalisation
downstream_cir 0
host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name other
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy speedtest
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class speedtest
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority override
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name speedtest
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy streaming
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class streaming
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name streaming
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 30.0
exit
egress_policy updates
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class updates
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority background
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name updates
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
egress_policy voip
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class voip
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority high
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name voip
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 10.0
exit
egress_policy Youtube
upstream_mir 0
upstream_cir 0
downstream_mir 0
no dynamic
egress_flow_class Youtube
no child_equalisation
downstream_cir 0
no host_equalisation
shaper_margin 10.0
priority normal
no hidden
no description
parent
no rate_multiplier
percent_mir 0.0
no control_peak
name Youtube
no shaped
enabled
secondary_parent
burst_threshold 30
percent_cir 0.0
exit
exit
#
#
management_interface mgmt0
no description
requested_system_interface enp11s0
allowed_subnets 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
no dynamic
pci_address 0000:0b:00.0
no hidden
name mgmt0
exit
#
#
egress_flow_class games
no hidden
no dynamic
no description
name games
exit
egress_flow_class other
no hidden
no dynamic
no description
name other
exit
egress_flow_class speedtest
no hidden
no dynamic
no description
name speedtest
exit
egress_flow_class streaming
no hidden
no dynamic
no description
name streaming
exit
egress_flow_class updates
no hidden
no dynamic
no description
name updates
exit
egress_flow_class voip
no hidden
no dynamic
no description
name voip
exit
egress_flow_class Youtube
no hidden
no dynamic
no description
name Youtube
exit
#
#
parameter_info internal_host_quiet_limit

exit

parameter_info model

exit

#
#
fib fib0
no parent_fib
no description
no dynamic
no permitted_hosts
no hidden
root
name fib0
exit
#
#
ingress_policy_map external1.any_ipm
no description
no dynamic
no hidden
name external1.any_ipm
ingress_policy games
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name games
reverse
ingress_flow_class games
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy other
sequence 9000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name other
reverse
ingress_flow_class other
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy speedtest
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name speedtest
reverse
ingress_flow_class speedtest
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy streaming
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name streaming
reverse
ingress_flow_class streaming
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy updates
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name updates
reverse
ingress_flow_class updates
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy voip
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name voip
reverse
ingress_flow_class voip
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy Youtube
sequence 1000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name Youtube
reverse
ingress_flow_class Youtube
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
exit
ingress_policy_map external1_ipm
no description
no dynamic
no hidden
name external1_ipm
ingress_policy games
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name games
reverse
ingress_flow_class games
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy other
sequence 9000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name other
reverse
ingress_flow_class other
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy speedtest
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name speedtest
reverse
ingress_flow_class speedtest
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy streaming
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name streaming
reverse
ingress_flow_class streaming
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy updates
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name updates
reverse
ingress_flow_class updates
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy voip
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name voip
reverse
ingress_flow_class voip
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy Youtube
sequence 1000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name Youtube
reverse
ingress_flow_class Youtube
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
exit
ingress_policy_map internal1.any_ipm
no description
no dynamic
no hidden
name internal1.any_ipm
ingress_policy games
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name games
reverse
ingress_flow_class games
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy other
sequence 9000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name other
reverse
ingress_flow_class other
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy speedtest
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name speedtest
reverse
ingress_flow_class speedtest
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy streaming
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name streaming
reverse
ingress_flow_class streaming
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy updates
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name updates
reverse
ingress_flow_class updates
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy voip
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name voip
reverse
ingress_flow_class voip
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy Youtube
sequence 1000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name Youtube
reverse
ingress_flow_class Youtube
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
exit
ingress_policy_map internal1_ipm
no description
no dynamic
no hidden
name internal1_ipm
ingress_policy games
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name games
reverse
ingress_flow_class games
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy other
sequence 9000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name other
reverse
ingress_flow_class other
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy speedtest
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name speedtest
reverse
ingress_flow_class speedtest
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy streaming
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name streaming
reverse
ingress_flow_class streaming
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy updates
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name updates
reverse
ingress_flow_class updates
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy voip
sequence 8000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name voip
reverse
ingress_flow_class voip
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
ingress_policy Youtube
sequence 1000
no dynamic
flow_rate_cap 0
no reverse_path_forward
minimum_delay 0.000
no dscp_rewrite
no postprocess
no hidden
policy_route_interface
no maximum_delay
no description
policy_route_address ::
chargeable dontcare
name Youtube
reverse
ingress_flow_class Youtube
ip_protocol_rewrite 0
no drop
enabled
fixed_rate 0
no no_police
exit
exit
#
#
condition 5M_over
no dynamic
no clearing_filter
no clear_attribute_value
no attribute_value
object_class interface
severity minor
script
delay 00:00:05.000
no hidden
no description
no name_filter
clearing_script
no mail_subject
no groups
no mail_address
no mail_body
no attribute_name
name 5M_over
clear_delay 00:00:01.000
no enabled
filter name=internal1,transmit_rate>500|receive_rate>500
no trap
no restore_attribute_value
exit
condition 90M_over
no dynamic
clearing_filter rate<90000
no clear_attribute_value
no attribute_value
object_class interface
severity minor
script
delay 00:01:00.000
no hidden
no description
no name_filter
clearing_script
no mail_subject
no groups
no mail_address
no mail_body
no attribute_name
name 90M_over
clear_delay 00:00:10.000
no enabled
filter receive_rate>90000
no trap
no restore_attribute_value
exit
condition Total_Rate_Monitorintg
no dynamic
no clearing_filter
no clear_attribute_value
no attribute_value
object_class application
severity minor
script
delay 00:00:30.000
no hidden
no description
no name_filter
clearing_script
mail_subject Application Total Rate exceeded 90Mbps
no groups
mail_address taks@w-ins.net
mail_body Application Total Rate exceeded 90Mbps
no attribute_name
name Total_Rate_Monitorintg
clear_delay 00:01:00.000
no enabled
filter total_rate>90000
no trap
no restore_attribute_value
exit
#
#
interface external1
no secondary_addresses
ingress_policy_map external1_ipm
no dynamic
unmatched_efc
outer_interface
no secondary_peer
dhcp_subnet 0.0.0.0/0
no port_forwarders
proxy_arp
requested_direction external
dhcp_default_gw 0.0.0.0
shaper_margin 10.0
rate 500000
state enabled
fib fib0
dhcp_low_range 0.0.0.0
no default_ipv4_gateway
no address_pools
no hidden
type ethernet
parent_efc
no description
dhcp_default_lease_time 00:00:00.000
primary_address ::/0
peer internal1
dhcp_broadcast_addr 0.0.0.0
no control_peak
name external1
shaped
arp_timeout 00:00:00.000
lag_interface
no dhcp_enabled
dhcp_max_lease_time 00:00:00.000
egress_policy_map external1_epm
dhcp_hi_range 0.0.0.0
no flash_led
exit
interface external1.any
no secondary_addresses
ingress_policy_map external1.any_ipm
no dynamic
outer_interface external1
no secondary_peer
dhcp_subnet 0.0.0.0/0
no port_forwarders
proxy_arp
requested_direction external
dhcp_default_gw 0.0.0.0
shaper_margin 10.0
rate 500000
state enabled
fib fib0
dhcp_low_range 0.0.0.0
no default_ipv4_gateway
no address_pools
no hidden
type vlan
parent_efc
unmatched_efc
no description
dhcp_default_lease_time 00:00:00.000
primary_address ::/0
peer internal1.any
dhcp_broadcast_addr 0.0.0.0
no control_peak
name external1.any
shaped
arp_timeout 00:00:00.000
lag_interface
no dhcp_enabled
dhcp_max_lease_time 00:00:00.000
egress_policy_map external1.any_epm
dhcp_hi_range 0.0.0.0
no flash_led
exit
interface internal1
no secondary_addresses
ingress_policy_map internal1_ipm
no dynamic
unmatched_efc
outer_interface
no secondary_peer
dhcp_subnet 0.0.0.0/0
no port_forwarders
proxy_arp
requested_direction internal
dhcp_default_gw 0.0.0.0
shaper_margin 10.0
rate 500000
state enabled
fib fib0
dhcp_low_range 0.0.0.0
no default_ipv4_gateway
no address_pools
no hidden
type ethernet
parent_efc
no description
dhcp_default_lease_time 00:00:00.000
primary_address ::/0
peer external1
dhcp_broadcast_addr 0.0.0.0
no control_peak
name internal1
shaped
arp_timeout 00:00:00.000
lag_interface
no dhcp_enabled
dhcp_max_lease_time 00:00:00.000
egress_policy_map internal1_epm
dhcp_hi_range 0.0.0.0
no flash_led
exit
interface internal1.any
no secondary_addresses
ingress_policy_map internal1.any_ipm
no dynamic
outer_interface internal1
no secondary_peer
dhcp_subnet 0.0.0.0/0
no port_forwarders
proxy_arp
requested_direction internal
dhcp_default_gw 0.0.0.0
shaper_margin 10.0
rate 500000
state enabled
fib fib0
dhcp_low_range 0.0.0.0
no default_ipv4_gateway
no address_pools
no hidden
type vlan
parent_efc
unmatched_efc
no description
dhcp_default_lease_time 00:00:00.000
primary_address ::/0
peer external1.any
dhcp_broadcast_addr 0.0.0.0
no control_peak
name internal1.any
shaped
arp_timeout 00:00:00.000
lag_interface
no dhcp_enabled
dhcp_max_lease_time 00:00:00.000
egress_policy_map internal1.any_epm
dhcp_hi_range 0.0.0.0
no flash_led
exit
#
#
administrator admin
encrypted_password $5$LBLoJGFsTPCf$ucn5TXXMFfMz.IkZtsT9EV/CKXihes1.Qw/pNMdSQ3B
no description
no dynamic
enabled
privilege superuser
no hidden
name admin
exit
administrator FlowCommand
encrypted_password $5$JUV7L/f1T4Y$Pq88P9JaDQN/0ei.vi6LH4rpE9SMHW2EfuKyAcI4q02
no description
no dynamic
enabled
privilege monitor
no hidden
name FlowCommand
exit
administrator sbbaek
encrypted_password $5$B5P5XoWFL4$Fg3pM7xmrS31UPouJZsbZ1Oq4EuzNG.AUb9DL0DrKg4
no description
no dynamic
enabled
privilege superuser
no hidden
name sbbaek
exit
#
#
application youtube
no track_in_history
priority 10000
no short_lived
protocol youtube
no description
no stop_dpi
no drop
no dynamic
server youtube%e|googlevideo.com|googlevideo.c|googlevideo.co
chargeable dontcare
track_users
no location
groups streaming
map_location
no hidden
no ports
no postprocess
name youtube
exit
#
#
group games
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name games
exit
group p2p
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name p2p
exit
group speedtest
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name speedtest
exit
group streaming
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name streaming
exit
group updates
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name updates
exit
group voip
no nested_groups
no description
no dynamic
no track_in_history
no hidden
type app
name voip
exit
#
#
script USER_LISTENER
no interval
no description
no persistent
file_name user_listener.py
no dynamic
no argument
no days
no start_times
no end_time
directory /etc/stmfiles/files/scripts
no hidden
run_on_boot
name USER_LISTENER
exit
#
#
user User-10.10.100.35
description tak
no dynamic
chargeable_bytes_base 0
quota 0
no track_in_history
no location
no groups
map_location
no hidden
name User-10.10.100.35
exit
#
#
acl Youtube
no subnets
no description
no dynamic
no hidden
no ports
name Youtube
exit
#
#
policy games
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority high
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups games
percent_mir 0.0
minimum_distress 0
no minimum_rate
name games
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
policy other
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 9000
no maximum_rate
priority normal
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
no groups
percent_mir 0.0
minimum_distress 0
no minimum_rate
name other
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
policy p2p
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority normal
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups p2p
percent_mir 0.0
minimum_distress 0
no minimum_rate
name p2p
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
policy speedtest
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority override
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups speedtest
percent_mir 0.0
minimum_distress 0
no minimum_rate
name speedtest
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
policy streaming
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority high
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups streaming
percent_mir 0.0
minimum_distress 0
no minimum_rate
name streaming
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 30.0
burst_threshold 30
attach_to_rate_plan
exit
policy updates
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority background
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups updates
percent_mir 0.0
minimum_distress 0
no minimum_rate
name updates
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
policy voip
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 8000
no maximum_rate
priority high
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
no applications
no shaped
groups voip
percent_mir 0.0
minimum_distress 0
no minimum_rate
name voip
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 10.0
burst_threshold 30
attach_to_rate_plan
exit
policy Youtube
geolocation
shared_partition
chargeable dontcare
no next_hop_ases
upstream_cir 0
downstream_mir 0
no dynamic
flow_rate_cap 0
no maximum_packets
no maximum_total_bytes
no excluded_groups
acl
host_downstream_mir 0
downstream_cir 0
no minimum_duration
no host_equalisation
no maximum_delay
shaper_margin 10.0
minimum_delay 0.000
sequence 1000
no maximum_rate
priority normal
no final_ases
no dscp_rewrite
no minimum_total_bytes
no hidden
no maximum_duration
initial_rate_plan
no ports
no subnets
policy_route_interface
host_upstream_cir 0
no description
parent
attach_to_tunnel
no rate_multiplier
attach_to_interface
applications youtube
no shaped
no groups
percent_mir 0.0
minimum_distress 0
no minimum_rate
name Youtube
policy_route_address ::
no threat_level
no minimum_packets
no drop
enabled
host_downstream_cir 0
host_upstream_mir 0
attach_to_access_point
top_host dontcare
no reputation
upstream_mir 0
no threat_types
percent_cir 0.0
burst_threshold 30
attach_to_rate_plan
exit
stm1wins#

 

 

728x90
저작자표시

'업무이야기 > etc' 카테고리의 다른 글

Eclipse2640 adminstrator configuration Guide  (1) 2012.01.12
Cluster NAS Gateway(Scaleway)  (1) 2011.11.03
728x90

Configuration for SRX

root# show |no-more 
system {
     root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
        }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 100.1.1.2/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
           family inet {
                address 192.168.2.1/24;
            }
        }
    }
    
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 100.1.1.1;
    }
}

security {
    ike {
        proposal ike-phase1-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 86400;
        }
        policy ike-phase1-policy {
            mode main;
            proposals ike-phase1-proposal;
            pre-shared-key ascii-text “$ABC123"; ## SECRET-DATA
        }
        gateway gw-chicago {
            ike-policy ike-phase1-policy;
            address 100.1.1.1;
            external-interface ge-0/0/0.0;
        }
    }
    ipsec {
        proposal ipsec-phase2-proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm des-cbc;
            lifetime-seconds 28800;
        }
        policy ipsec-phase2-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec-phase2-proposal;
        }
        vpn ike-vpn-chicago {
            ike {
                gateway gw-chicago;
                ipsec-policy ipsec-phase2-policy;
            }
            establish-tunnels immediately;
        }
        
    }
    policies {
        from-zone trust to-zone untrust {
           policy vpn-tr-untr {
                match {
                    source-address sunnyvale;
                    destination-address chicago;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
        }
        from-zone untrust to-zone trust {
            policy vpn-untr-tr {
                match {
                    source-address chicago;
                    destination-address sunnyvale;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn ike-vpn-chicago;
                        }
                    }
                }
            }
            
    }
    zones {
        security-zone trust {
            address-book {
                address sunnyvale 192.168.2.0/24;
               
           }
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address chicago 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    ike;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
    }

}

VPN Configuration for Cisco ASA

(Only VPN related config included)
Interface Configuration: 
------------------------------------------------------------------------------------------------------------------

!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 

!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 100.1.1.1 255.255.255.0 
!

Policy Configuration :   ------------------------------------------------------------------------------------------------------------------
access-list s2s extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

IPSEC/IKE Configuration :
-----------------------------------------------------------------------------------------------------------------
crypto ipsec ikev1 transform-set CISCO esp-des esp-md5-hmac 
crypto map outside_map 20 match address s2s
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 100.1.1.2 
crypto map outside_map 20 set ikev1 transform-set CISCO
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map interface outside
crypto isakmp identity address 
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.1.1.2 type ipsec-l2l
tunnel-group 100.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****


Verification of VPN connection
SRX:

root> show security ike sa                        
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
778322  UP     8858011cc0881359  e5ecd6302f0306b0  Main           100.1.1.1       

root> show security ipsec sa  
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:des/ md5  fb0a0946 28765/unlim   -   root 500   100.1.1.1       
  >131073 ESP:des/ md5  11f6197b 28765/unlim   -   root 500   100.1.1.1       

root> show security ipsec sa detail                            
  ID: 131073 Virtual-system: root, VPN Name: ike-vpn-chicago
  Local Gateway: 100.1.1.2, Remote Gateway: 100.1.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=192.168.2.0/24)
  Remote Identity: ipv4_subnet(any:0,[0..7]=192.168.1.0/24)
  Version: IKEv1
    DF-bit: clear
    Policy Name:vpn-tr-untr

    Direction: inbound, SPI: 22abf60, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: ccb96ffb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 28571 seconds
    Lifesize Remaining:  4607999 kilobytes
    Soft lifetime: Expires in 27982 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

root> show security ipsec statistics | no-more    
ESP Statistics:
  Encrypted bytes:          1842192
  Decrypted bytes:          1210704
  Encrypted packets:          12144
  Decrypted packets:          12144
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

 

728x90
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX request chassis cluster failover redundancy-group  (0) 2021.04.13
IPS (Sniper) 기본 Command  (3) 2021.03.29
MonitorAPP 웹방화벽 동작 체크 방법  (0) 2021.01.29
Fortinet FortiSandbox Shell mode  (0) 2021.01.20
Fortinet FortiSandbox Clustering Setting sample  (0) 2021.01.20
728x90

request chassis cluster failover redundancy-group

request chassis cluster failover node node-number redundancy-group redundancy-group-number
Release Information
Command introduced in Junos OS Release 9.0.

Description
For chassis cluster configurations, initiate manual failover in a redundancy group from one node to the other, which becomes the primary node, and automatically reset the priority of the group to 255. The failover stays in effect until the new primary node becomes unavailable, the threshold of the redundancy group reaches 0, or you use the request chassis cluster failover reset command.

After a manual failover, you must use the request chassis cluster failover reset command before initiating another failover.

Options
node node-number—Number of the chassis cluster node to which the redundancy group fails over.

Range: 0 or 1

redundancy-group group-number—Number of the redundancy group on which to initiate manual failover. Redundancy group 0 is a special group consisting of the two Routing Engines in the chassis cluster.

Range: 0 through 255

Required Privilege Level
maintenance

RELATED DOCUMENTATION
Initiating a Chassis Cluster Manual Redundancy Group Failover

Verifying Chassis Cluster Failover Status

List of Sample Output
request chassis cluster failover redundancy-group
Output Fields
When you enter this command, you are provided feedback on the status of your request.

Sample Output
request chassis cluster failover redundancy-group

user@host> request chassis cluster failover redundancy-group 0 node 1
content_copy zoom_out_map
{primary:node0}

user@host> request chassis cluster failover redundancy-group 0 node 1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Initiated manual failover for redundancy group 0

 

728x90
저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Juniper show command (RSI : request support information)  (0) 2021.03.29
Juniper Troubleshooting Commands  (0) 2021.03.29
Juniper EX4200 VLAN Configuration  (0) 2021.01.25
Juniper EX S/W Factory Reset  (0) 2021.01.25
Alteon-5208 Default Config  (0) 2021.01.20
728x90

웹방화벽 동작 체크 방법

  1. 웹방화벽 게이트웨이로 접속 방법

[root@WIM ~]# ssh wig1 # 웹방화벽 게이트웨이로 접속

(1번 wig1 or 10.1.1.100 2번 wig2 or 10.1.2.100)

root@wig1's password: # root03 입니다.

  1. 체크 스크립트 항목별 설명

[root@WIG1 ~]# cd # 어떤 경로에 위치하더라도 스크립트의 경로로 이동

[root@WIG1 ~]# ./regular_check.sh

ENTER키 치면 한 개씩 항목이 실행되어 경과가 나타납니다.

WI Model : 2030BF # 장비 모델명을 나타냅니다.

eth0 MAC Address : 00:10:F3:0F:BC:1E

장비 eth0 맥어드레스이며 라이선스 갱신시 필요한 값

Gateway License : This is unlimited license for

게이트웨이 동작 라이선스상태

WIG version: 2.1.16_6 # 게이트웨이 펌웨어 버전

HTTP(s) Gateway : OK (Listen Port 8001 80 8080)

                    # 웹방화벽 엔진 상태 및 감시 포트 정보

Log Agent : OK

                    # 매니저로 로그를 전송을 담당하는 Agent

Policy Agent : OK

                    # 서버에 적용시 정책을 내려받아 적용하는 Agent

System Monitoring : OK

                    # 웹방화벽 게이트웨이의 동작 상태를 감시하는 Agent

Docfilter : OK

                    # 개인정보관련 Agent

Lan Bypass : OK

                    # Bypass TAB의 동작 상태

Interface status # 인터페이스에서 처리하는 트래픽양이며 ONE-ARMED에서는 SERVER 포트는 0

Client Device

eth6: rx/tx 4582/4582 Kbps, 737/740 pps

Server Device

eth6: rx/tx 0/0 Kbps, 0/0 pps

CLIENT PORT : eth6 # 인터페이스의 LINK상태

Settings for eth6:

Speed: 1000Mb/s

Duplex: Full

Port: FIBRE

Auto-negotiation: on

Link detected: yes

SERVER PORT: eth6 # 인터페이스 LINK 상태

Settings for eth6:

Speed: 1000Mb/s

Duplex: Full

Port: FIBRE

Auto-negotiation: on

Link detected: yes

CLIENT PORT : eth6 # 인터페이스 관련 Count 값 확인

      RX packets:423616900 errors:0 dropped:0 overruns:0 frame:0 

      TX packets:338826150 errors:0 dropped:0 overruns:0 carrier:0 

      collisions:0 txqueuelen:1000  

      Base address:0xaf00 Memory:fdca0000-fdcc0000

SERVER PORT: eth6 # 인터페이스 관련 Count 값 확인

RX packets:423616900 errors:0 dropped:0 overruns:0 frame:0

      TX packets:338826150 errors:0 dropped:0 overruns:0 carrier:0 

      collisions:0 txqueuelen:1000  

      Base address:0xaf00 Memory:fdca0000-fdcc0000

Httpgw Process Status #웹방화벽 엔진이 두개 떠있는지 확인

root 28135 1 0 Jan18 ? 00:00:00 /wig/bin/httpgw

root 28136 28135 5 Jan18 ? 00:47:28 /wig/bin/httpgw

Fail Open Mode : ENABLE # Bypass 모듈의 활성화 상태

WIG Uptime : 08:43:12 up 51 days, 22:36, 1 user, load average: 0.02, 0.03, 0.00

                         # 장비의 지속동작 상태 확인

Web Server List # 웹방화벽이 처리할 서버 정보 리스트

0.0.0.0 - 255.255.255.255:8001

0.0.0.0 - 255.255.255.255:8080

0.0.0.0 - 255.255.255.255:80

registered server: count 3

Bypass IP Address Count=7 # 바이패스할 IP 리스트

   166.104.117.75 - 166.104.117.75 

   166.104.117.77 - 166.104.117.77 

   121.138.193.186 - 121.138.193.186 

   166.104.157.92 - 166.104.157.92 

   166.104.27.1 - 166.104.27.254 

   166.104.177.1 - 166.104.177.254 

   166.104.96.1 - 166.104.96.254

[root@WIG1 ~]#

  1. 각 항목별 긴급 대응 방안

웹방화벽 게이트웨이로 접속이 안되는 경우

-. 게이트웨이가 전원ON 상태 인지 확인

( 전원이 ON되지 않는 경우 파워 또는 보드 장애로 예상됨)

-. 매니저와 게이트웨이간 케이블이 정상적으로 연결되었는지 확인

(LINK상태 및 정확한 포트간 연결 다른 포트에 연결되었거나 케이블 불량 예상)

-. 게이트웨이LCD 창의 메시지의 내용 변화가 있는지 확인

(멈춰있는 경우 다운 상태이므로 강제 재부팅)

eth0 의 MAC이 변화한 경우

-. 게이트웨이의 eth0가 물리적인 장애인 상태에서 재부팅 되면 eth1이 eth0가 되어

변화할 수 있으며 장비 교체 필요함

-. 게이트웨이 동작 라이선스 재발급 요청

게이트웨이 펌웨어 정보 확인

HTTP(s) Gateway 가 Not OK인 경우

[root@WIG1 ~]# killall httpgw 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_httpgw.sh

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

Log Agent 가 Not OK인 경우

[root@WIG1 ~]# killall log_agent 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_prog.sh log_agent -p WI -d DL_NONE

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

Policy Agent 가 Not OK인 경우

[root@WIG1 ~]# killall policy_agent 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_prog.sh policy_agent DL_NONE

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

System Monitoring 가 Not OK인 경우

[root@WIG1 ~]# killall sys_mon 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_prog.sh sys_mon -p WI -d DL_NONE

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

Docfilter 가 Not OK인 경우

[root@WIG1 ~]# killall docfilter 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_prog.sh docfilter DL_NONE

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

Lan Bypass 가 Not OK인 경우

[root@WIG1 ~]# killall lan_bypass 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_prog.sh lan_bypass DL_NONE

[root@WIG1 ~]# /wig/bin/process_status.sh 로 다시 동작 상태 확인

Interface status

인터페이스에서 처리하는 트래픽양이 나타나며

ONE-ARMED에서는 SERVER 포트의 값은 O으로 나타납니다.

CLIENT포트도 0 인 경우 케이블 Link 상태 또는 L4에서 트래픽이 정상적으로 보내주고 있는지 확인 필요.

CLIENT PORT : eth6

Duplex: Full -> Half 로 나오는 경우 연결된 장비간 설정값을 확인하여 동일한 방식으로 맞춰야 합니다.

Link detected: yes -> no로 나타나는 경우 케이블이 정상적으로 연결되지 않은 상태 입니다.

                      케이블의 양단이 모두 정상적으로 연결되었는지 확인이 필요합니다.

CLIENT PORT : eth6

인터페이스의 동작 count를 확인

RX packets:423616900 errors:0 dropped:0 overruns:0 frame:0

TX packets:338826150 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX errors가 증가하는 경우 : Duplex가 안맞거나 연결된 장비의 인터페이스 케이블 상태등 확인 필요

TX errors가 증가하는 경우 : 웹방화벽 인터페이스 장애로 추정

Dropped는 네트워크 방화벽 기능이 동작하는 경우 증가 합니다.

Collisions 는 Duplex가 안맞는 경우 발생할 수 있습니다.

모든 카운트는 최초 케이블 연결 또는 부팅시 일부 발생하는 경우가 있습니다.

앞으로 기존 errors,dropped,collision 카운트 값을 기록하여 관리하도록 하겠습니다.

Httpgw Process Status에서 프로세스가 두개가 아닌 경우 정상적으로 처리가 되지 않습니다.

원래 두개로 구성된 이유는 한 개는 두번째 프로세스를 체크하여 없어지면 다시 실행시켜주는 역할이며 실제 웹방화벽 엔진 역할은 두번째 프로세스가 담당하게 되어 있습니다.

최근에는 두번째 프로세스가 안 떠 있는 경우는 드문 경우이며 처리방법은

[root@WIG1 ~]# killall httpgw 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_httpgw.sh

[root@WIG1 ~]# ps –ef | grep httpgw 로 다시 동작 상태 확인

WIG Uptime에서 부팅시킨 일이 없는데 카운트가 1달 이내인 경우

장비가 비정상적으로 리부팅 되거나 전원 케이블 연결등을 확인합니다.

웹방화벽 두대 모두 동일한 시각에 재부팅된 이력이 있는 경우는 외적인 요인으로

전원,UPS등 전원관련 사항을 확인해야 합니다.

1대만 리부팅 된 경우는 지속적인 모니터링이 필요한 상황으로 장비의 장애가 예상됩니다.

Web Server List가 나타나지 않는 경우

웹방화벽 매니저의 정책을 받지 못한 상황이며

[root@WIG1 ~]# killall httpgw 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_httpgw.sh

[root@WIG1 ~]# cat /proc/pdriver/opmode 로 다시 확인 합니다.

Bypass IP Address Count가 나타나지 않는 경우

[root@WIG1 ~]# killall httpgw 를 약 3회 수행

[root@WIG1 ~]# /wig/bin/restart_httpgw.sh

[root@WIG1 ~]# cat /proc/pdriver/opmode 로 다시 확인 합니다.

또는 웹UI상에서 다시 등록 적용 합니다.

위의 상황은 일반적인 상황에서의 처리 방법이며 모든 장애 유형을

상황을 모두 예측하여 기록하기에는 무리가 있습니다. 따라서 HW 오류등에 따른

예상 못한 상황도 발생할 수 있습니다.

 

 

728x90
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

IPS (Sniper) 기본 Command  (3) 2021.03.29
Configuration Example – Site-to-site VPN between SRX and Cisco ASA (Policy-based VPN)  (0) 2021.03.16
Fortinet FortiSandbox Shell mode  (0) 2021.01.20
Fortinet FortiSandbox Clustering Setting sample  (0) 2021.01.20
Juniper SRX 설정 방법 (CLI)  (0) 2021.01.20
728x90

Juniper EX4200 VLAN Configuration

http://www.juniper.net/techpubs/en_US/junos11.4/topics/task/configuration/bridging-vlans-ex-series-cli.html

Configuring VLANs for EX Series Switches (CLI Procedure)
EX Series switches use VLANs to make logical groupings of network nodes with their own broadcast domains. VLANs limit the traffic flowing across the entire LAN and reduce collisions and packet retransmissions.
Why Create a VLAN?Create a VLAN Using the Minimum ProcedureCreate a VLAN Using All of the OptionsConfiguration Guidelines for VLANs
Why Create a VLAN?
Some reasons to create VLANs are:
A LAN has more than 200 devices.A LAN has a lot of broadcast traffic.A group of clients requires that a higher-than-average level of security be applied to traffic entering or exiting the group's devices.A group of clients requires that the group's devices receive less broadcast traffic than they are currently receiving, so that data speed across the group is increased.
Create a VLAN Using the Minimum Procedure
Two steps are required to create a VLAN:
Uniquely identify the VLAN. You do this by assigning either a name or an ID (or both) to the VLAN. When you assign just a VLAN name, an ID is generated by Junos OS.Assign at least one switch port interface to the VLAN for communication. All interfaces in a single VLAN are in a single broadcast domain, even if the interfaces are on different switches. You can assign traffic on any switch to a particular VLAN by referencing either the interface sending traffic or the MAC addresses of devices sending traffic.
The following example creates a VLAN using only the two required steps. The VLAN is created with the name employee-vlan. Then, three interfaces are assigned to that VLAN so that the traffic is transmitted among these interfaces.

Note: In this example, you could alternatively assign an ID number to the VLAN. The requirement is that the VLAN have a unique ID.
[edit]
set vlans employee-vlan
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members employee-vlan
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members employee-vlan
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members employee-vlan
In the example, all users connected to the interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3 can communicate with each other, but not with users on other interfaces in this network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See Configuring Routed VLAN Interfaces (CLI Procedure).
Create a VLAN Using All of the Options
To configure a VLAN, follow these steps:
In configuration mode, create the VLAN by setting the unique VLAN name:
[edit]
user@switch# set vlans vlan-nameConfigure the VLAN tag ID or VLAN ID range for the VLAN. (If you assigned a VLAN name, you do not have to do this, because a VLAN ID is assigned automatically, thereby associating the name of the VLAN to an ID number. However, if you want to control the ID numbers, you can assign both a name and an ID.)
[edit]
user@switch# set vlans vlan-name vlan-id vlan-id-number
or
[edit]
user@switch# set vlans vlan-name vlan-range (vlan-id-low) - (vlan-id-high)Assign at least one interface to the VLAN:
[edit]
user@switch# set vlans vlan-name interface interface-name

Note: You can also specify that a trunk interface is a member of all the VLANs that are configured on this switch. When a new VLAN is configured on the switch, this trunk interface automatically becomes a member of the VLAN.(Optional) Create a subnet for the VLAN because all computers that belong to a subnet are addressed with a common, identical, most-significant-bit group in their IP address. This makes it easy to identify VLAN members by their IP addresses. To create the subnet for the VLAN:
[edit interfaces]
user@switch# set vlan unit logical-unit-number family inet address ip-address(Optional) Specify the description of the VLAN:
[edit]
user@switch# set vlans vlan-name description text-description(Optional) To avoid exceeding the maximum number of members allowed in a VLAN, specify the maximum time that an entry can remain in the forwarding table before it ages out:
[edit]
user@switch# set vlans vlan-name mac-table-aging-time time(Optional) For security purposes, specify a VLAN firewall filter to be applied to incoming or outgoing packets:
[edit]
user@switch# set vlans vlan-name filter input-or-output filter-name(Optional) For accounting purposes, enable a counter to track the number of times this VLAN is accessed:
[edit]
user@switch# set vlans vlan-name l3-interface ingress-counting l3-interface-nameConfiguration Guidelines for VLANs
Two steps are required to create a VLAN. You must uniquely identify the VLAN and you must assign at least one switch port interface to the VLAN for communication.
After creating a VLAN, all users all users connected to the interfaces assigned to the VLAN can communicate with each other but not with users on other interfaces in the network. To configure communication between VLANs, you must configure a routed VLAN interface (RVI). See Configuring Routed VLAN Interfaces (CLI Procedure) to create an RVI.
The number of VLANs supported per switch varies for each switch type. Use the command set vlans id vlan-id ? to discover the maximum number of VLANs allowed on a switch. You cannot exceed this VLAN limit because each VLAN is assigned an ID number when it is created. You can, however, exceed the recommended VLAN member maximum . To determine the maximum number of VLAN members allowed on a switch, multiply the VLAN maximum obtained using set vlans id vlan-id ? times 8.
If a switch configuration exceeds the recommended VLAN member maximum, you see a warning message when you commit the configuration. If you ignore the warning and commit such a configuration, the configuration succeeds but you run the risk of crashing the Ethernet switching process (eswd) due to memory allocation failure.
Published: 2011-11-04

 

 

728x90
저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Juniper Troubleshooting Commands  (0) 2021.03.29
Juniper request chassis cluster failover redundancy-group  (0) 2021.03.16
Juniper EX S/W Factory Reset  (0) 2021.01.25
Alteon-5208 Default Config  (0) 2021.01.20
Aruba AP CLI  (0) 2021.01.17
728x90

Could you please share us the below listed information to proceed further on this case.

“show diag detail” output.
Sysdump
Log files upload all

How to collect Sysdump:
Example :
FreeUser-10-4 [default: master] # debug generate dump
Generated dump sysdump-FreeUser-10-4-20190410-060522.tgz.gpg

MSWMN14GLBS102 (config) # show file debug-dump
sysdump-MSWMN14GLBS102-20120412-123916.tgz.gpg
sysdump-FreeUser-10-4-20190410-060522.tgz.gpg

MSWMN14GLBS102 (config) # file debug-dump upload sysdump-FreeUser-10-4-20190410-060522.tgz.gpg scp://root:mypass@10.126.44.95/mydebug.tgz.gpg

How to collect “log files”:
MSWMN14GLBS102 (config) # log files upload all scp://root:mypass@10.126.44.95/mydebug.tgz.gpg

 

 

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

Gigamon Clustering #1  (0) 2021.06.11
GigaSALES Certification Test  (0) 2021.03.29
To set up GRIP successfully, it is advised that you check the inline functions of each HC2 separately.  (0) 2021.01.25
Gigamon ASF (Buffered) Email Attachment Content-Disposition 1000byte & (Unbuffered) Yahoo MSG  (0) 2021.01.20
Gigamon Active Visibility (Condition & Action Lists)  (0) 2021.01.20
728x90

Juniper EX S/W Factory Reset

[edit]
user@switch# load factory-default

[edit]
user@switch# run request system zeroize

[edit]
user@switch# delete system commit factory-settings
[edit]
user@switch# set system root-authentication plain-text-password
[edit]
user@switch# commit

Firmware Upgrade

root@SW2# run request system software add /var/tmp/jinstall-ex-4300-14.1X53-D45.3-domestic-signed.tgz reboot

root@SW2# run monitor traffic interface ge-0/2/0 size 1500

 

 

728x90
저작자표시

'업무이야기 > Network' 카테고리의 다른 글

Juniper request chassis cluster failover redundancy-group  (0) 2021.03.16
Juniper EX4200 VLAN Configuration  (0) 2021.01.25
Alteon-5208 Default Config  (0) 2021.01.20
Aruba AP CLI  (0) 2021.01.17
Juniper OSPF & LACP SW#6(EX2300) Configuration Sample  (0) 2021.01.11
728x90

To set up GRIP successfully, it is advised that you check the inline functions of each HC2 separately.

https://gigamoncp.force.com/partnercommunity/s/article/HC2-GRIP-Configuration-example#loaded

A. Set up Primary without GRIP
a. ensure secondary is wire only (i.e physical bypass = enable)
b. take primary out of bypass, configure all ports and forward inline traffic to inline tool

On secondary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On primary:
port 1/1/x23..x24 params admin enable
port 1/1/x8..x9 type inline-tool
port 1/1/x8..x9 params ad en

inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

inline-tool alias IT-01 pair tool-a 1/1/x8 and tool-b 1/1/x9
inline-tool alias IT-01 failover-action tool-bypass
inline-tool alias IT-01 enable
c. Forward traffic to the inline tool for inspection:
map-passall alias IL-to-tool-Grip
from default_inline_net_1_1_4
to IT-01
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Confirm set up on primary using show port params and show port stats

B. Set up Secondary without GRIP
a. Set primary as wire only (i.e physical bypass = enable)
On primary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On secondary:
port 1/1/x23..x24 params admin enable
inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

port 1/1/x2..x3 type inline-tool
port 1/1/x2..x3 params ad en
inline-tool alias IT-02 pair tool-a 1/1/x2 and tool-b 1/1/x3
inline-tool alias IT-02 failover-action tool-bypass
inline-tool alias IT-02 enable

map-passall alias IL-to-tool-GripSecondary
from default_inline_net_1_1_4
to IT-02
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Again, confirm configuration by using show port params and show port stats

C. Configure redundancy profiles and signal links.

i. Enable bypass on both
[primary] inline-network alias default_inline_net_1_1_4 physical-bypass en
[secondary] inline-network alias default_inline_net_1_1_4 physical-bypass en

ii. Configure GRIP Redundancy profiles and check signal link
Note: signal link on primary is 1/x7, on secondary, it is x4

Primary:
port 1/1/x7 type stack
port 1/1/x7 params admin en

redundancy-profile alias RP-01
protection-role primary
signaling-port 1/1/x7
exit

Secondary:
port 1/1/x4 type stack
port 1/1/x4 params admin en

redundancy-profile alias RP-02
protection-role secondary
signaling-port 1/1/x4
exit

D. Turn off LFP, Assign Redundancy Profile (RP) to Inline Network ports on both chassis
[primary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-01
[secondary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-02
ADDITIONAL NOTES
Once the redundancy profile has been applied, the physical bypass state is controlled by software

Commands for checking status;
[Primary]
show inline-network alias default_inline_net_1_1_4
show port stats p 1/1/x23,1/1/x8,1/1/x9,1/1/x24
show port params p 1/1/x23,1/1/x8,1/1/x9,1/1/x24

[Secondary]
show inline-network alias default_inline_net_1_1_4
show port params p 1/1/x23,1/1/x2,1/1/x3,1/1/x24
show port stats p 1/1/x23,1/1/x2,1/1/x3,1/1/x24

Note: Note that in this example, link fail propagation (LFP) is disabled to reduce inlinennetwork recovery time after failover.
When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.

 

 

728x90
저작자표시

'업무이야기 > 패킷전달플랫폼' 카테고리의 다른 글

GigaSALES Certification Test  (0) 2021.03.29
Could you please share us the below listed information to proceed further on this case.  (0) 2021.01.25
Gigamon ASF (Buffered) Email Attachment Content-Disposition 1000byte & (Unbuffered) Yahoo MSG  (0) 2021.01.20
Gigamon Active Visibility (Condition & Action Lists)  (0) 2021.01.20
Gigamon Controlled GigaStream Configuration  (0) 2021.01.20

+ Recent posts

티스토리툴바