Configuring a GPON OLT

##Atualizado 19/08/2020##
##Todas as informações em "#" são comentários e não devem ser aplicadas na OLT##
#Usuario e Senha Padrão#

user: root
password: admin123
#Comando para entrar no modo de configuração da OLT#

config
#Desabilitar em definito a interatidade do CLI#

undo system user smart
undo system user interactive
#Desabilitar Telnet#
sysman service telnet disable
#Configurar Hostname#
sysname <sigla_da_cidade + site + OLT + numero_da_olt_do_site>
sysname SNGCTROLT01
#Add Placas PON#

board add 0/1 H901GPHF
board add 0/x #Incluir todos os slots com placa da OLT#
#Trocar a senha do root da OLT#

terminal user password
User Name(<=15 chars):root
New Password(length<6,15>):<sigla_operacao>_R3str1ct3d
Confirm Password(length<6,15>):<sigla_operacao>_R3str1ct3d
Information takes effect
Repeat this operation? (y/n)[n]: <enter>
ssh user "root" authentication-type password
#Validar Placas da OLT#

display board 0 #Placa devem estar com o status "Online", caso contrario
necessário adicionar#
#Add Placas PON#

board add 0/x #Incluir todos os slots com placa da OLT#
#Habilita o uso das ACLs na OLT#

firewall enable
#ACL#
acl 3088
description "Bloqueio_SSH"
rule 10 permit tcp source <rede_front_operação> <wild_mask> destination-port eq 22
rule 20 permit tcp source 201.6.4.0 0.0.0.255 destination-port eq 22
rule 50 permit tcp source <ip_servidor_U2000> 0 destination-port eq 22
rule 60 permit tcp source <ip_servidor_U2000_bkp> 0 destination-port eq 22
rule 200 deny tcp destination-port eq 22
quit
acl 2089
description "SNMP"
rule 10 permit source 200.255.253.10 0
rule 30 permit source <front_operação> <mask>
rule 70 permit source <ip_servidor_U2000> 0
rule 80 permit source <ip_servidor_U2000_bkp> 0
rule 110 permit source 181.213.166.0 0.0.0.15
rule 120 permit source <ip_coletora_visium> 0
rule 200 deny
quit
#SNMP#
undo system snmp-user password security
snmp-agent community write paranoia
snmp-agent community read D3s3nMs0
snmp-agent community read n0cn3t
snmp-agent community read t3MP35t@d3
snmp-agent community read 3mbr@t3l
snmp-agent community read Nc3Hu@w31
snmp-agent community read m0nit0r4c40
snmp-agent sys-info contact "datacenter.<sigla_da_operacao>.virtua.com.br"
snmp-agent sys-info location "DHCP: <ip_dhcp_primary> FAILOVER:
<ip_dhcp_secondary>"
snmp-agent sys-info version v2c
snmp-agent trap enable standard
snmp-agent target-host trap-hostname U2000-GPON address <ip_servidor_U2000> udp-
port 162 trap-paramsname U2000-GPON
snmp-agent target-host trap-paramsname U2000-GPON v2c securityname cipher paranoia
snmp-agent target-host trap-hostname U2000-GPON-BKP address <ip_servidor_U2000_bkp>
udp-port 162 trap-paramsname U2000-GPON-BKP
snmp-agent target-host trap-paramsname U2000-GPON-BKP v2c securityname cipher
paranoia
snmp-agent acl 2089
#Auto find nas portas GPON#

interface gpon 0/1
port 0 ont-auto-find enable
quit
interface gpon 0/2

quit
interface gpon 0/x #Incluir todos os slots com placa da OLT#
#Vlans#
vlan 2 to 4078 smart
y
vlan desc <id_vlan_ipv4> description "IPv4_Uplink"
vlan desc <id_vlan_ipv6> description "IPv6_Uplink"
vlan desc 4074 description "GPON_VLAN"
#Descrição da porta de Uplink#

port desc 0/8/0 description "Virtua IPv4 e IPv6"
port desc 0/9/0 description "Virtua IPv4 e IPv6"
#Configuração das interfaces Uplink#

interface mpu 0/8
speed 0 10000
quit
interface mpu 0/9

speed 0 10000
quit
#Timezone#
timezone GMT- 03:00
#Interfaces IPs#
interface LoopBack0
description "INFRA-IPV4-RESIDENCIAL"
ip address <ipv4> 255.255.255.255
quit
interface Vlanif<id_vlan_ipv4>
description "IPv4_Uplink"
ip address <ipv4> <mask>
firewall packet-filter 3088 inbound
quit
description "IPv6_Uplink"
ipv6 enable
ipv6 address <ipv6>/126
interface LoopBack1
description "INFRA-IPV6-RESIDENCIAL"
ipv6 enable
ipv6 address <ipv6>/128
interface LoopBack2
description "GERENCIA-OLT-RESIDENCIAL"
ip address <ipv4> 255.255.255.255
#Trap via Loopback#

sysman source trap loopback 2
#Aplicar vlans no uplink#

port vlan <id_vlan_ipv4> 0/8 0
port vlan 4074 0/8 0
y
#Configurar LAG#
link-aggregation 0/8 0 0/9 0 egress-ingress workmode lacp-static
link-aggregation add-member 0/8/0 0/9 0
link-aggregation description 0/8/0 “Roteador_xxx_Porta_0/0/x”
link-aggregation description 0/9/0 “Roteador_xxx_Porta_0/0/x”
#Comandos para validar LAG#

display link-aggregation 0/8/0
display lacp link-aggregation summary
display lacp link-aggregation verbose 1
#Configuração de DHCP L3#

dhcp mode layer-3 option60
y
dhcp option82 enable
y
dhcpv6 mode layer-3 option16
y
dhcpv6 option enable
y
dhcp-server 1 ip <ipv4_dhcp_primary> <ipv4_dhcp_secondary>
dhcpv6-server 1 ipv6 <ipv6_dhcp_primary> <ipv6_dhcp_secondary>
#Interface VLAN#
interface Vlanif4074
description "ONT_Interface"
ipv6 enable
ip address <gw_cpe_nat_1> <mask> description "Rede_CPE_CGNAT"
ip address <gw_cpe_1> <mask> sub description "Rede_CPE_Virtua"
ip address <gw_cpe_netfone_1> <mask> sub description "Rede_CPE_NETFONE"
ipv6 address <gw_rede_ipv6>/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
dhcp-server 1
dhcpv6-server 1
quit
dhcp domain "default"

dhcp-gateway learning enable
dhcpv6-gateway learning enable
dhcp-server 1 vlan 4074
dhcpv6-server 1 vlan 4074
quit
dhcp gateway-group "GPON"

dhcp-gateway <ip_primario_vlan_4074> master
dhcp domain "default" server-group 1
quit
dhcp domain "default" gateway-group "GPON"
dhcp domain "default" gateway ipv6 <gw_rede_ipv6>
quit
#IPv6 - Global#
security bind-route-nd enable
#IPv6 - VLAN#
vlan service-profile profile-id 2 profile-name "IPv6_PD_Routing_enable"
security bind-route-nd enable
commit
quit
vlan bind service-profile 4074 profile-id 2
#Option 82 DHCPv4 e Option 37 DHCPv6#
raio-profile index 1 name "raio-profile-1"

raio-format dhcp-option82 cid xpon "splabel"
raio-format dhcp-option82 rid xpon "sprlabelhex"
raio-format dhcpv6-option cid xpon "splabel"
raio-format dhcpv6-option rid xpon "sprlabelhex"
raio-mode user-defined dhcp-option82
raio-mode user-defined dhcpv6-option
quit
vlan bind raio-profile 4074 index 1
#Router Static#
ipv6 route-static <bloco_ipv6_OLT> 48 NULL0
###OSPF###
#Ospfv2#
ospf 28573 router-id <ip_loopback_0>
maximum load-balancing 8
area <area_ospf_cidade_net>
description "OSPF-IPV4-<nome da nova cidade>"
#Aplicar na(s) interface(s) Vlan(s) IPv4 (/30) e Loopback 0#
interface vlan <id_vlan_ipv4>

ospf network-type p2p
ospf enable 28573 area <area_ospf_cidade_net>
quit
interface LoopBack0
ospf enable 28573 area <area_ospf_cidade_net>
quit
#Ospfv3#
ospfv3 28573
router-id <ip_loopback_1>
maximum load-balancing 8
area <area_ospf_cidade_net>
description "OSPF-IPV6-<nome da nova cidade>"
#Aplicar na(s) interface(s) Vlan(s) IPv6 (/126) e Loopback 1#

interface vlan <id_vlan_ipv6>
ospfv3 28573 area <area_ospf_cidade_net>
ospfv3 network-type p2p
quit
interface LoopBack1
ospfv3 28573 area <area_ospf_cidade_net>
quit
###BGP###
#IP Prefix#
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 5 permit <loopback 2> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 10 permit <rede_cpe_nat_1> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 15 permit <rede_cpe_1> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 20 permit <rede_cpe_netfone_1> <mask>
ip ip-prefix "DEFAULT-ROUTE-IPV4" index 5 permit 0.0.0.0 0
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 5 deny 0.0.0.0 0
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 10 permit <rede_DCM1> <mascara>
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 20 permit <rede_DCM2> <mascara>
ip ip-prefix "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" index 10 deny 0.0.0.0 0
ip ipv6-prefix "ANNOUNCE-V6-TO-GPON" index 5 permit <rede_ipv6_PD> 48 greater-equal

48 less-equal 128
ip ipv6-prefix "ANNOUNCE-V6-TO-GPON" index 99999 deny :: 0 less-equal 128
ip ipv6-prefix "DEFAULT-ROUTE-IPV6" index 5 permit :: 0
ip ipv6-prefix "RECEIVED-V6-TO-GPON" index 5 permit <rede_ipv6_infra> 40 greater-
equal 48 less-equal 128
#Route-Policy#
#Codigos Cidade Anatel:

https://sistemas.anatel.gov.br/sacp/Parametros/ArquivosAnexos/Reg%20Tarifação
%20ANEXO%20I%20v06102005.pdf#
#IPv6 - OUT#
route-policy "ANNOUNCE-GPON-IPV6-OUT" permit node 5
if-match ipv6 address prefix-list "ANNOUNCE-V6-TO-GPON"
apply community 28573:<codigo_anatel_cidade_nova>
route-policy "ANNOUNCE-GPON-IPV6-OUT" deny node 1000
#IPv6 - IN#
route-policy "RECEIVED-GPON-IPV6-IN" permit node 5
if-match ipv6 address prefix-list "DEFAULT-ROUTE-IPV6"
route-policy "RECEIVED-GPON-IPV6-IN" permit node 10

if-match ipv6 address prefix-list "RECEIVED-V6-TO-GPON"
route-policy "RECEIVED-GPON-IPV6-IN" deny node 1000
#IPv4 - OUT#
route-policy "ANNOUNCE-IPV4-TO-CORE-RR" permit node 10
if-match ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR"
apply community 28573:<codigo_anatel_cidade_nova>
route-policy "ANNOUNCE-IPV4-TO-CORE-RR" deny node 1000
#IPv4 - IN#
route-policy "RECEIVED-IPV4-TO-CORE-RR" permit node 5
if-match ip-prefix "DEFAULT-ROUTE-IPV4"
route-policy "RECEIVED-IPV4-TO-CORE-RR" deny node 1000
#IPTV - IN#
route-policy "RECEIVED-IPV4-MULTICAST-OF-ALLIP" permit node 10
if-match ip-prefix "PLATAFORMA-MULTICAST-ALLIP"
quit
route-policy "RECEIVED-IPV4-MULTICAST-OF-ALLIP" deny node 1000

quit
#IPTV - OUT#
route-policy "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" permit node 10
if-match ip-prefix "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP"
quit
route-policy "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" deny node 1000

quit
#Peer BGP#
bgp 28573
peer <ip_loopback_ipv4_infra_router_virtua> as-number 28573
peer <ip_loopback_ipv4_infra_router_virtua> description "BGP-IPV4-GPON-CORE-RR-
CPSCPDRTD02"
peer <ip_loopback_ipv4_infra_router_virtua> connect-interface "LoopBack0"
peer <ip_loopback_ipv6_infra_router_virtua> as-number 28573
peer <ip_loopback_ipv6_infra_router_virtua> description "IBGP-IPV6-GPON-RR-CORE-
CPSCPDRTD02"
peer <ip_loopback_ipv6_infra_router_virtua> connect-interface "LoopBack1"
peer <ip_do_neighbor_da_vlan_informada_na_SSD> as-number <as_bgp_informado_na_ssd>
peer <ip_do_neighbor_da_vlan_informado_na_SSD> connect-interface
<id_da_vlan_cfme_SSD>
peer <ip_do_neighbor_da_vlan_informado_na_SSD> password cipher
<senha_bgp_informada_na_ssd>
ipv4-family unicast
undo synchronization
network <loopback 2> <mask>
network <rede_cpe_nat_1> <mask>
network <rede_cpe_1> <mask>
network <rede_cpe_netfone_1> <mask>
peer <ip_loopback_ipv4_infra_router_virtua> enable
peer <ip_loopback_ipv4_infra_router_virtua> route-policy "RECEIVED-IPV4-TO-CORE-
RR" import
peer <ip_loopback_ipv4_infra_router_virtua> route-policy "ANNOUNCE-IPV4-TO-CORE-
RR" export
peer <ip_loopback_ipv4_infra_router_virtua> next-hop-local
peer <ip_loopback_ipv4_infra_router_virtua> advertise-community
peer <ip_loopback_ipv4_infra_router_virtua> advertise-ext-community
peer <ip_do_neighbor_da_vlan_informado_na_SSD> enable
peer <ip_do_neighbor_da_vlan_informado_na_SSD> route-policy "RECEIVED-IPV4-
MULTICAST-OF-ALLIP" import
peer <ip_do_neighbor_da_vlan_informado_na_SSD> route-policy "ANNOUNCE-IPV4-
MULTICAST-TO-ALLIP" export
peer <ip_do_neighbor_da_vlan_informado_na_SSD> next-hop-local
peer <ip_do_neighbor_da_vlan_informado_na_SSD> allow-as-loop 10
quit
ipv6-family unicast
undo synchronization
network <bloco_ipv6_OLT> 48
peer <ip_loopback_ipv6_infra_router_virtua> enable
peer <ip_loopback_ipv6_infra_router_virtua> route-policy "RECEIVED-GPON-IPV6-IN"
import
peer <ip_loopback_ipv6_infra_router_virtua> route-policy "ANNOUNCE-GPON-IPV6-OUT"
export
peer <ip_loopback_ipv6_infra_router_virtua> reflect-client
peer <ip_loopback_ipv6_infra_router_virtua> next-hop-local
peer <ip_loopback_ipv6_infra_router_virtua> advertise-community
peer <ip_loopback_ipv6_infra_router_virtua> advertise-ext-community
quit
#TACACS+ AAA#
hwtacacs-server template "tacacs"
hwtacacs-server authentication 201.6.4.39
hwtacacs-server authentication 201.6.4.38 secondary
hwtacacs-server authorization 201.6.4.39
hwtacacs-server authorization 201.6.4.38 secondary
hwtacacs-server accounting 201.6.4.39
hwtacacs-server accounting 201.6.4.38 secondary
hwtacacs-server source-interface "LoopBack2"
hwtacacs-server shared-key cipher <chave_tacacs>
hwtacacs-server timer response-timeout 10
undo hwtacacs-server user-name domain-included
quit
aaa
authentication-scheme "tacacs+"
authentication-mode hwtacacs local
quit
authorization-scheme "tacacs+"
authorization-mode hwtacacs none
authorization-cmd 0 hwtacacs
quit
accounting-scheme "tacacs+"
accounting-mode hwtacacs
quit
domain "default"
authentication-scheme "tacacs+"
authorization-scheme "tacacs+"
accounting-scheme "tacacs+"
hwtacacs-server "tacacs"
quit
recording-scheme "tacacs+"
recording-mode hwtacacs "tacacs"
quit
system recording-scheme "tacacs+"

outbound recording-scheme "tacacs+"
cmd recording-scheme "tacacs+"
quit
terminal user authentication-mode aaa "default"
#Criar usuario nsvcadm#
terminal user name

User Name(length<6,15>):nsvcadm
User Password(length<6,15>): <sigla_da_cidade>_@cc355
Confirm Password(length<6,15>):<sigla_da_cidade>_@cc355
User profile name(<=15 chars)[root]: <enter>
Users Level:
1. Common User 2. Operator: 2
Permitted Reenter Number(0--20): 0
Users Appended Info(<=30 chars): <enter>
Adding user successfully
Repeat this operation? (y/n)[n]:n
#Autosave#
autosave time on
autosave interval 240
autosave type all
#NTP synchronization#
ntp-service unicast-server <ip_srv_ntp> source-interface Vlanif<id_vlan_ipv4>
#Timeout Autofind#
ont autofind timeout 100
#Configuração inicial de Multicast - IPTV#
"Configurar sempre, mesmo que o serviço de IPTV ainda não tenha sido implementado
na Cidade"
multicast upstream-mode pim-ssm

btv
igmp cascade-port 0/8/3
quit
multicast-vlan 4073
quit
#Configuração Completa IPTV#
interface Vlanif <id_da_vlan_cfme_SSD>

ip address <ip_fornecido_pela_ssd> 255.255.255.252
pim sm
quit
description VLAN-MULTICAST-OF-OLT-TO-ONT
ip address 1.1.1.1 255.255.255.252
quit
"Necessário configurar um IP nessa interface vlan 4073 visto que o tráfego

multicast será em L3, sempre usar o ip 1.1.1.1/30 e não anunciar no BGP esse ip,
pois ele será usado somente localmente"
acl 4073
rule 10 permit source 4073
quit
traffic-priority outbound link-group 4000 rule 10 acl-index 32 dscp 36 port
0/<slot>/<porta PON>
"Aplicar em todas as portas PON da OLT"
port vlan <id_da_vlan_cfme_SSD> 0/8 0

port vlan <id_da_vlan_cfme_SSD> 0/9 0
interface mpu 0/8

undo traffic-suppress 0 broadcast
undo traffic-suppress 0 multicast
undo traffic-suppress 0 unicast
quit
interface mpu 0/9

undo traffic-suppress 0 broadcast
undo traffic-suppress 0 multicast
undo traffic-suppress 0 unicast
quit
multicast routing-enable
acl 2999
description MULTICAST IPTV
rule 10 permit source 235.0.<ddd_da_origem_do_multicast>.0 0.0.0.255
quit
pim
ssm-policy 2999
quit
btv
igmp query-offline-user enable
igmp cascade-port 0/8/3
multicast upstream-mode pim-ssm

multicast-vlan 4073
igmp match mode disable
igmp mode proxy
igmp program add batch ip 235.0.<ddd_da_origem_do_multicast>.1 to-ip
235.0.<ddd_da_origem_do_multicast>.254 sourceip <ip_da-porta_do_DCM>
quit
btv
igmp static-join cascade-port 0/8/3 ip
235.0.<ddd_da_origem_do_multicast>.<id_do_canal> vlan 4073 sourceip <ip_da-
porta_do_DCM>
"A cada linha configurada do static-join é para um determinado ip do grupo de

multicast, se tiver mais de um, necessário inserir uma linha de configuração para
cada ip do grupo de Multicast."
multicast-vlan 4073
igmp program rename PROGRAM-0 Globo_HD
igmp program rename PROGRAM-1 Band_HD
quit
#ACL#
-Front
acl 3102
description "Bloqueio_Porta_Uplink_Inbound"
#ACESS SSH#
rule 10 permit ip source <rede_front_operação> <wild_mask> destination <loopback
2> 0 #FRONT OPERAÇÃO#
rule 20 permit ip source 201.6.4.0 0.0.0.255 destination <loopback 2> 0 #FRONT
ENGENHARIA#
#GERENCIA OLT#
rule 30 permit ip source <ip_srv_U2000> destination <loopback 2> 0 #SERVIDOR DE
GERENCIA#
rule 40 permit ip source <ip_srv_U2000_bkp> destination <loopback 2> 0 #SERVIDOR
DE GERENCIA BKP#
rule 50 permit ip source 181.213.160.0 0.0.1.255 destination <loopback 2> 0
#SERVIDOR DE GERENCIA NCE SPO#
rule 60 permit ip source 181.213.140.0 0.0.3.255 destination <loopback 2> 0
#SERVIDOR DE GERENCIA NCE RJO#
#SNMP#
rule 70 permit udp source 201.6.7.208 0.0.0.15 destination <loopback 2> 0
destination-port eq snmp #NOC#
rule 80 permit udp source 200.255.253.10 0 destination <loopback 2> 0 destination-
port eq snmp #GRB#
rule 90 permit udp source 200.255.253.11 0 destination <loopback 2> 0 destination-
port eq snmp #GRB#
rule 100 permit udp source <ip_pagina_datacenter_local> 0 destination <loopback 2>
0 destination-port eq snmp #PAGINA DATACENTER#
destination-port eq snmp #NCE ODN#
rule 120 permit udp source <ip_coletora_visium> 0 destination <loopback 2> 0
destination-port eq snmp #VISIUM#
#IPAM#
destination-port eq snmp
rule 140 permit tcp source 201.6.20.64 0.0.0.15 description <loopback 2> 0
description-port eq 9974
#BGP#
rule 150 permit tcp source <source-ip-BGP> 0 source-port eq bgp destination
<loopback 0> 0
rule 160 permit tcp source <source-ip-BGP> 0 destination <loopback 0> 0
destination-port eq bgp
#OSPF#
rule 170 permit ospf source <rede_front_gpon> <wild_mask>
#NTP#
rule 180 permit udp source <ip_servidor_ntp> 0 destination-port eq ntp
#ICMP#
rule 190 permit icmp source <rede_front_operação> <wild_mask> icmp-type echo
#FRONT OPERAÇÃO#
rule 200 permit icmp source 201.6.4.0 0.0.0.255 icmp-type echo #FRONT ENGENHARIA#
rule 210 permit icmp source <ip_servidor_nagios> destination <loopback 2> 0 icmp-
type echo #NAGIOS#
rule 220 permit icmp source 200.255.253.10 0 destination <loopback 2> 0 icmp-type
echo #GRB#
rule 230 permit icmp source 200.255.253.11 0 destination <loopback 2> 0 icmp-type
echo #GRB#
rule 240 permit icmp source <ip_coletora_visium> 0 destination <loopback 2> 0
icmp-type echo #VISIUM#
#DHCP#
rule 250 permit udp source <rede_front_operação> <wild_mask> destination-port eq
bootps
bootpc
#DENY GW#
rule 270 deny ip source any destination <gw_cpe_nat_1> 0
rule 280 deny ip source any destination <gw_cpe_1> 0
rule 290 deny ip source any destination <gw_cpe_netfone_1> 0
#TRAFFIC CPE#
rule 300 permit ip source any destination <rede_cpe_nat_1> <wild_mask>
rule 310 permit ip source any destination <rede_cpe_1> <wild_mask>
rule 320 permit ip source any destination <rede_cpe_netfone_1> <wild_mask>
- ACL 111
acl 3111
description "Cable ACL Inbound"
#PERMIT DHCP#
rule 10 permit udp destination-port eq bootps
rule 20 permit udp destination-port eq bootpc
#DENY OF PORTS#
rule 30 deny tcp destination-port range 135 139
rule 40 deny udp destination-port range 135 netbios-ssn
rule 60 deny udp destination-port eq 445
#DENY INTERNAL AND MULTICAST NETWORKS#
rule 110 deny ip destination 10.0.0.0 0.255.255.255
#ICMP#
rule 190 deny icmp icmp-type echo destination <rede_front_operação> <wild_mask>
#FRONT OPERAÇÃO#
rule 200 deny icmp icmp-type echo destination 201.6.4.0 0.0.0.255 #FRONT
ENGENHARIA#
rule 210 permit icmp icmp-type echo
rule 220 permit icmp icmp-type echo-reply
rule 230 permit icmp icmp-type ttl-exceeded
rule 240 permit icmp icmp-type fragmentneed-dfset
rule 250 deny icmp
#DOMAIN#
rule 260 permit tcp destination <rede_front_operação> <wild_mask> destination-port
eq domain
#DNS#
rule 270 permit udp destination <rede_front_operação> <wild_mask> destination-port
eq dns
#WWW#
rule 280 permit tcp destination <rede_front_operação> <wild_mask> destination-port
eq www
#DENY TO FRONT OPERAÇÃO#
rule 290 deny ip destination <rede_front_operação> <wild_mask>
#DENY TO FRONT ENGENHARIA#
rule 300 deny ip destination <rede_front_engenharia> <wild_mask>
#DENY GW#
rule 310 deny ip destination <gw_cpe_nat_1> 0
rule 320 deny ip destination <gw_cpe_1> 0
rule 330 deny ip destination <gw_cpe_netfone_1> 0
#PERMIT BLOCO CPE#
rule 340 permit ip source <rede_cpe_nat_1> <wild_mask> destination any
rule 350 permit ip source <rede_cpe_1> <wild_mask> destination any
rule 360 permit ip source <rede_cpe_netfone_1> <wild_mask> destination any
#DENY ALL#
rule 999 deny ip source any destination any
quit
- ACL 112
acl 3112
description "Cable ACL Outbound"
#PERMIT DHCP FRONT OPERAÇÃO#
bootps
bootpc
#DENY OF PORTS#
rule 30 deny tcp destination-port range 135 139
rule 40 deny udp destination-port range 135 netbios-ssn
#PERMIT BLOCKS CPE#
rule 170 permit ip source any destination <rede_cpe_nat_1> <wild_mask>
rule 180 permit ip source any destination <rede_cpe_1> <wild_mask>
rule 190 permit ip source any destination <rede_cpe_netfone_1> <wild_mask>
#DENY ALL#
rule 999 deny ip source any destination any
quit
#ACLs-IPv6#
-ACL 3202
acl ipv6 3202
description "IPv6 Front"
#ACESS BLOCK INFRA/SERVER TO OLT#
rule 10 permit ipv6 source <rede_ipv6_infra> 44 destination <loopback 1> 128
rule 20 permit ipv6 source <rede_ipv6_servidores> 44 destination <loopback 1> 128
#DENY SOURCE GW#
rule 30 deny ipv6 source any destination <gw_rede_ipv6> 128
#DENY ICMP#
rule 40 deny icmpv6 icmp6-type 5 99
#DENY PORTS#
rule 140 deny tcp source any destination any source-port eq 135 destination-port
eq 135
eq 136
eq 137
eq 138
eq 139
eq 445
eq 1080
eq 3128
eq 4480
eq 6588
rule 240 deny udp source any destination any source-port eq netbios-ns
destination-port eq netbios-ns
rule 250 deny udp source any destination any source-port eq netbios-ssn
destination-port eq netbios-ssn
rule 260 deny udp source any destination any source-port eq 445 destination-port
eq 445
eq 1900
eq 1900
eq 3306
eq 3306
#PERMIT PD#
rule 310 permit ipv6 source any destination <rede_ipv6_PD> 48
quit
#Aplicar acls#
quit
firewall packet-filter 3112 outbound
quit
config
packet-filter inbound ipv6 ip-group 3202 port 0/8/0
quit
#Configurar proxy ARP#

arp proxy enable
quit
arp proxy enable
arp aging-time 5
#Description da porta PON#

port desc 0/1/0 description <DxSyPxx-nomeramopon_DxSyPxx-nomeramopon>
port desc 0/1/0 description "D1S1P12-JDC4601_D1S2P30-JDC4602" - Exemplo
Separação de nodes com o "_" (underline) e separação da informação da posição do
DIO e a nomenclatura do ramo pon é com "-" (hífen).

Configuring a GPON OLT

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring a GPON OLT

Uploaded by

Copyright:

Available Formats

##Atualizado 19/08/2020##

#Usuario e Senha Padrão#

#Comando para entrar no modo de configuração da OLT#

#Desabilitar em definito a interatidade do CLI#

#Add Placas PON#

#Trocar a senha do root da OLT#

ssh user "root" authentication-type password

#Validar Placas da OLT#

#Add Placas PON#

#Habilita o uso das ACLs na OLT#

#Auto find nas portas GPON#

interface gpon 0/2

interface gpon 0/x #Incluir todos os slots com placa da OLT#

#Descrição da porta de Uplink#

#Configuração das interfaces Uplink#

interface mpu 0/9

#Trap via Loopback#

#Aplicar vlans no uplink#

#Comandos para validar LAG#

#Configuração de DHCP L3#

dhcp-server 1 ip <ipv4_dhcp_primary> <ipv4_dhcp_secondary>

dhcpv6-server 1 ipv6 <ipv6_dhcp_primary> <ipv6_dhcp_secondary>

dhcp domain "default"

dhcp gateway-group "GPON"

vlan bind service-profile 4074 profile-id 2

#Option 82 DHCPv4 e Option 37 DHCPv6#

raio-profile index 1 name "raio-profile-1"

#Aplicar na(s) interface(s) Vlan(s) IPv4 (/30) e Loopback 0#

interface vlan <id_vlan_ipv4>

#Aplicar na(s) interface(s) Vlan(s) IPv6 (/126) e Loopback 1#

ip ipv6-prefix "ANNOUNCE-V6-TO-GPON" index 5 permit <rede_ipv6_PD> 48 greater-equal

#Codigos Cidade Anatel:

route-policy "ANNOUNCE-GPON-IPV6-OUT" deny node 1000

route-policy "RECEIVED-GPON-IPV6-IN" permit node 10

route-policy "RECEIVED-GPON-IPV6-IN" deny node 1000

route-policy "ANNOUNCE-IPV4-TO-CORE-RR" deny node 1000

route-policy "RECEIVED-IPV4-TO-CORE-RR" deny node 1000

route-policy "RECEIVED-IPV4-MULTICAST-OF-ALLIP" deny node 1000

route-policy "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" deny node 1000

system recording-scheme "tacacs+"

terminal user authentication-mode aaa "default"

#Criar usuario nsvcadm#

terminal user name

#Configuração inicial de Multicast - IPTV#

multicast upstream-mode pim-ssm

#Configuração Completa IPTV#

interface Vlanif <id_da_vlan_cfme_SSD>

"Necessário configurar um IP nessa interface vlan 4073 visto que o tráfego

"Aplicar em todas as portas PON da OLT"

port vlan <id_da_vlan_cfme_SSD> 0/8 0

interface mpu 0/8

interface mpu 0/9

multicast upstream-mode pim-ssm

"A cada linha configurada do static-join é para um determinado ip do grupo de

#Configurar proxy ARP#

#Description da porta PON#

You might also like