Professional Documents
Culture Documents
##Todas as informações em "#" são comentários e não devem ser aplicadas na OLT##
#Desabilitar Telnet#
sysman service telnet disable
#Configurar Hostname#
sysname <sigla_da_cidade + site + OLT + numero_da_olt_do_site>
sysname SNGCTROLT01
#ACL#
acl 3088
description "Bloqueio_SSH"
rule 10 permit tcp source <rede_front_operação> <wild_mask> destination-port eq 22
rule 20 permit tcp source 201.6.4.0 0.0.0.255 destination-port eq 22
rule 30 permit tcp source 181.213.160.0 0.0.1.255 destination-port eq 22
rule 40 permit tcp source 181.213.140.0 0.0.3.255 destination-port eq 22
rule 50 permit tcp source <ip_servidor_U2000> 0 destination-port eq 22
rule 60 permit tcp source <ip_servidor_U2000_bkp> 0 destination-port eq 22
rule 70 permit tcp source 181.213.166.0 0.0.0.15 destination-port eq 22
rule 200 deny tcp destination-port eq 22
quit
acl 2089
description "SNMP"
rule 10 permit source 200.255.253.10 0
rule 20 permit source 200.255.253.11 0
rule 30 permit source <front_operação> <mask>
rule 40 permit source 201.6.4.0 24
rule 50 permit source 181.213.160.0 23
rule 60 permit source 181.213.140.0 22
rule 70 permit source <ip_servidor_U2000> 0
rule 80 permit source <ip_servidor_U2000_bkp> 0
rule 90 permit source 201.6.7.208 28
rule 100 permit source 201.6.20.64 28
rule 110 permit source 181.213.166.0 0.0.0.15
rule 120 permit source <ip_coletora_visium> 0
rule 200 deny
quit
#SNMP#
undo system snmp-user password security
snmp-agent community write paranoia
snmp-agent community read D3s3nMs0
snmp-agent community read n0cn3t
snmp-agent community read t3MP35t@d3
snmp-agent community read 3mbr@t3l
snmp-agent community read Nc3Hu@w31
snmp-agent community read m0nit0r4c40
snmp-agent sys-info contact "datacenter.<sigla_da_operacao>.virtua.com.br"
snmp-agent sys-info location "DHCP: <ip_dhcp_primary> FAILOVER:
<ip_dhcp_secondary>"
snmp-agent sys-info version v2c
snmp-agent trap enable standard
snmp-agent target-host trap-hostname U2000-GPON address <ip_servidor_U2000> udp-
port 162 trap-paramsname U2000-GPON
snmp-agent target-host trap-paramsname U2000-GPON v2c securityname cipher paranoia
snmp-agent target-host trap-hostname U2000-GPON-BKP address <ip_servidor_U2000_bkp>
udp-port 162 trap-paramsname U2000-GPON-BKP
snmp-agent target-host trap-paramsname U2000-GPON-BKP v2c securityname cipher
paranoia
snmp-agent acl 2089
#Vlans#
vlan 2 to 4078 smart
y
vlan desc <id_vlan_ipv4> description "IPv4_Uplink"
vlan desc <id_vlan_ipv6> description "IPv6_Uplink"
vlan desc 4074 description "GPON_VLAN"
#Timezone#
timezone GMT- 03:00
#Interfaces IPs#
interface LoopBack0
description "INFRA-IPV4-RESIDENCIAL"
ip address <ipv4> 255.255.255.255
quit
interface Vlanif<id_vlan_ipv4>
description "IPv4_Uplink"
ip address <ipv4> <mask>
firewall packet-filter 3088 inbound
quit
interface Vlanif<id_vlan_ipv6>
description "IPv6_Uplink"
ipv6 enable
ipv6 address <ipv6>/126
interface LoopBack1
description "INFRA-IPV6-RESIDENCIAL"
ipv6 enable
ipv6 address <ipv6>/128
interface LoopBack2
description "GERENCIA-OLT-RESIDENCIAL"
ip address <ipv4> 255.255.255.255
#Configurar LAG#
link-aggregation 0/8 0 0/9 0 egress-ingress workmode lacp-static
link-aggregation add-member 0/8/0 0/9 0
link-aggregation description 0/8/0 “Roteador_xxx_Porta_0/0/x”
link-aggregation description 0/9/0 “Roteador_xxx_Porta_0/0/x”
#Interface VLAN#
interface Vlanif4074
description "ONT_Interface"
ipv6 enable
ip address <gw_cpe_nat_1> <mask> description "Rede_CPE_CGNAT"
ip address <gw_cpe_1> <mask> sub description "Rede_CPE_Virtua"
ip address <gw_cpe_netfone_1> <mask> sub description "Rede_CPE_NETFONE"
ipv6 address <gw_rede_ipv6>/64
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
dhcp-server 1
dhcpv6-server 1
quit
interface Vlanif4074
dhcp domain "default" gateway-group "GPON"
dhcp domain "default" gateway ipv6 <gw_rede_ipv6>
quit
#IPv6 - Global#
security bind-route-nd enable
#IPv6 - VLAN#
vlan service-profile profile-id 2 profile-name "IPv6_PD_Routing_enable"
security bind-route-nd enable
commit
quit
#Router Static#
ipv6 route-static <bloco_ipv6_OLT> 48 NULL0
###OSPF###
#Ospfv2#
ospf 28573 router-id <ip_loopback_0>
maximum load-balancing 8
area <area_ospf_cidade_net>
description "OSPF-IPV4-<nome da nova cidade>"
interface LoopBack0
ospf enable 28573 area <area_ospf_cidade_net>
quit
#Ospfv3#
ospfv3 28573
router-id <ip_loopback_1>
maximum load-balancing 8
area <area_ospf_cidade_net>
description "OSPF-IPV6-<nome da nova cidade>"
interface LoopBack1
ospfv3 28573 area <area_ospf_cidade_net>
quit
###BGP###
#IP Prefix#
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 5 permit <loopback 2> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 10 permit <rede_cpe_nat_1> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 15 permit <rede_cpe_1> <mask>
ip ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR" index 20 permit <rede_cpe_netfone_1> <mask>
ip ip-prefix "DEFAULT-ROUTE-IPV4" index 5 permit 0.0.0.0 0
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 5 deny 0.0.0.0 0
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 10 permit <rede_DCM1> <mascara>
ip ip-prefix "PLATAFORMA-MULTICAST-ALLIP" index 20 permit <rede_DCM2> <mascara>
ip ip-prefix "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" index 10 deny 0.0.0.0 0
#Route-Policy#
#IPv6 - OUT#
route-policy "ANNOUNCE-GPON-IPV6-OUT" permit node 5
if-match ipv6 address prefix-list "ANNOUNCE-V6-TO-GPON"
apply community 28573:<codigo_anatel_cidade_nova>
#IPv6 - IN#
route-policy "RECEIVED-GPON-IPV6-IN" permit node 5
if-match ipv6 address prefix-list "DEFAULT-ROUTE-IPV6"
#IPv4 - OUT#
route-policy "ANNOUNCE-IPV4-TO-CORE-RR" permit node 10
if-match ip-prefix "ANNOUNCE-IPV4-TO-CORE-RR"
apply community 28573:<codigo_anatel_cidade_nova>
#IPv4 - IN#
route-policy "RECEIVED-IPV4-TO-CORE-RR" permit node 5
if-match ip-prefix "DEFAULT-ROUTE-IPV4"
#IPTV - IN#
route-policy "RECEIVED-IPV4-MULTICAST-OF-ALLIP" permit node 10
if-match ip-prefix "PLATAFORMA-MULTICAST-ALLIP"
quit
#IPTV - OUT#
route-policy "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP" permit node 10
if-match ip-prefix "ANNOUNCE-IPV4-MULTICAST-TO-ALLIP"
quit
#Peer BGP#
bgp 28573
peer <ip_loopback_ipv4_infra_router_virtua> as-number 28573
peer <ip_loopback_ipv4_infra_router_virtua> description "BGP-IPV4-GPON-CORE-RR-
CPSCPDRTD02"
peer <ip_loopback_ipv4_infra_router_virtua> connect-interface "LoopBack0"
peer <ip_loopback_ipv6_infra_router_virtua> as-number 28573
peer <ip_loopback_ipv6_infra_router_virtua> description "IBGP-IPV6-GPON-RR-CORE-
CPSCPDRTD02"
peer <ip_loopback_ipv6_infra_router_virtua> connect-interface "LoopBack1"
peer <ip_do_neighbor_da_vlan_informada_na_SSD> as-number <as_bgp_informado_na_ssd>
peer <ip_do_neighbor_da_vlan_informado_na_SSD> connect-interface
<id_da_vlan_cfme_SSD>
peer <ip_do_neighbor_da_vlan_informado_na_SSD> password cipher
<senha_bgp_informada_na_ssd>
ipv4-family unicast
undo synchronization
network <loopback 2> <mask>
network <rede_cpe_nat_1> <mask>
network <rede_cpe_1> <mask>
network <rede_cpe_netfone_1> <mask>
peer <ip_loopback_ipv4_infra_router_virtua> enable
peer <ip_loopback_ipv4_infra_router_virtua> route-policy "RECEIVED-IPV4-TO-CORE-
RR" import
peer <ip_loopback_ipv4_infra_router_virtua> route-policy "ANNOUNCE-IPV4-TO-CORE-
RR" export
peer <ip_loopback_ipv4_infra_router_virtua> next-hop-local
peer <ip_loopback_ipv4_infra_router_virtua> advertise-community
peer <ip_loopback_ipv4_infra_router_virtua> advertise-ext-community
peer <ip_do_neighbor_da_vlan_informado_na_SSD> enable
peer <ip_do_neighbor_da_vlan_informado_na_SSD> route-policy "RECEIVED-IPV4-
MULTICAST-OF-ALLIP" import
peer <ip_do_neighbor_da_vlan_informado_na_SSD> route-policy "ANNOUNCE-IPV4-
MULTICAST-TO-ALLIP" export
peer <ip_do_neighbor_da_vlan_informado_na_SSD> next-hop-local
peer <ip_do_neighbor_da_vlan_informado_na_SSD> allow-as-loop 10
quit
ipv6-family unicast
undo synchronization
network <bloco_ipv6_OLT> 48
peer <ip_loopback_ipv6_infra_router_virtua> enable
peer <ip_loopback_ipv6_infra_router_virtua> route-policy "RECEIVED-GPON-IPV6-IN"
import
peer <ip_loopback_ipv6_infra_router_virtua> route-policy "ANNOUNCE-GPON-IPV6-OUT"
export
peer <ip_loopback_ipv6_infra_router_virtua> reflect-client
peer <ip_loopback_ipv6_infra_router_virtua> next-hop-local
peer <ip_loopback_ipv6_infra_router_virtua> advertise-community
peer <ip_loopback_ipv6_infra_router_virtua> advertise-ext-community
quit
#TACACS+ AAA#
hwtacacs-server template "tacacs"
hwtacacs-server authentication 201.6.4.39
hwtacacs-server authentication 201.6.4.38 secondary
hwtacacs-server authorization 201.6.4.39
hwtacacs-server authorization 201.6.4.38 secondary
hwtacacs-server accounting 201.6.4.39
hwtacacs-server accounting 201.6.4.38 secondary
hwtacacs-server source-interface "LoopBack2"
hwtacacs-server shared-key cipher <chave_tacacs>
hwtacacs-server timer response-timeout 10
undo hwtacacs-server user-name domain-included
quit
aaa
authentication-scheme "tacacs+"
authentication-mode hwtacacs local
quit
authorization-scheme "tacacs+"
authorization-mode hwtacacs none
authorization-cmd 0 hwtacacs
authorization-cmd 1 hwtacacs
authorization-cmd 2 hwtacacs
quit
accounting-scheme "tacacs+"
accounting-mode hwtacacs
quit
domain "default"
authentication-scheme "tacacs+"
authorization-scheme "tacacs+"
accounting-scheme "tacacs+"
hwtacacs-server "tacacs"
quit
recording-scheme "tacacs+"
recording-mode hwtacacs "tacacs"
quit
#Autosave#
autosave time on
autosave interval 240
autosave type all
#NTP synchronization#
ntp-service unicast-server <ip_srv_ntp> source-interface Vlanif<id_vlan_ipv4>
#Timeout Autofind#
ont autofind timeout 100
"Configurar sempre, mesmo que o serviço de IPTV ainda não tenha sido implementado
na Cidade"
interface Vlanif4073
description VLAN-MULTICAST-OF-OLT-TO-ONT
ip address 1.1.1.1 255.255.255.252
quit
acl 4073
rule 10 permit source 4073
quit
traffic-priority outbound link-group 4000 rule 10 acl-index 32 dscp 36 port
0/<slot>/<porta PON>
multicast routing-enable
acl 2999
description MULTICAST IPTV
rule 10 permit source 235.0.<ddd_da_origem_do_multicast>.0 0.0.0.255
quit
pim
ssm-policy 2999
quit
btv
igmp query-offline-user enable
igmp cascade-port 0/8/3
btv
igmp static-join cascade-port 0/8/3 ip
235.0.<ddd_da_origem_do_multicast>.<id_do_canal> vlan 4073 sourceip <ip_da-
porta_do_DCM>
multicast-vlan 4073
igmp program rename PROGRAM-0 Globo_HD
igmp program rename PROGRAM-1 Band_HD
quit
#ACL#
-Front
acl 3102
description "Bloqueio_Porta_Uplink_Inbound"
#ACESS SSH#
rule 10 permit ip source <rede_front_operação> <wild_mask> destination <loopback
2> 0 #FRONT OPERAÇÃO#
rule 20 permit ip source 201.6.4.0 0.0.0.255 destination <loopback 2> 0 #FRONT
ENGENHARIA#
#GERENCIA OLT#
rule 30 permit ip source <ip_srv_U2000> destination <loopback 2> 0 #SERVIDOR DE
GERENCIA#
rule 40 permit ip source <ip_srv_U2000_bkp> destination <loopback 2> 0 #SERVIDOR
DE GERENCIA BKP#
rule 50 permit ip source 181.213.160.0 0.0.1.255 destination <loopback 2> 0
#SERVIDOR DE GERENCIA NCE SPO#
rule 60 permit ip source 181.213.140.0 0.0.3.255 destination <loopback 2> 0
#SERVIDOR DE GERENCIA NCE RJO#
#SNMP#
rule 70 permit udp source 201.6.7.208 0.0.0.15 destination <loopback 2> 0
destination-port eq snmp #NOC#
rule 80 permit udp source 200.255.253.10 0 destination <loopback 2> 0 destination-
port eq snmp #GRB#
rule 90 permit udp source 200.255.253.11 0 destination <loopback 2> 0 destination-
port eq snmp #GRB#
rule 100 permit udp source <ip_pagina_datacenter_local> 0 destination <loopback 2>
0 destination-port eq snmp #PAGINA DATACENTER#
rule 110 permit udp source 181.213.166.0 0.0.0.15 destination <loopback 2> 0
destination-port eq snmp #NCE ODN#
rule 120 permit udp source <ip_coletora_visium> 0 destination <loopback 2> 0
destination-port eq snmp #VISIUM#
#IPAM#
rule 130 permit udp source 201.6.20.64 0.0.0.15 destination <loopback 2> 0
destination-port eq snmp
rule 140 permit tcp source 201.6.20.64 0.0.0.15 description <loopback 2> 0
description-port eq 9974
#BGP#
rule 150 permit tcp source <source-ip-BGP> 0 source-port eq bgp destination
<loopback 0> 0
rule 160 permit tcp source <source-ip-BGP> 0 destination <loopback 0> 0
destination-port eq bgp
#OSPF#
rule 170 permit ospf source <rede_front_gpon> <wild_mask>
#NTP#
rule 180 permit udp source <ip_servidor_ntp> 0 destination-port eq ntp
#ICMP#
rule 190 permit icmp source <rede_front_operação> <wild_mask> icmp-type echo
#FRONT OPERAÇÃO#
rule 200 permit icmp source 201.6.4.0 0.0.0.255 icmp-type echo #FRONT ENGENHARIA#
rule 210 permit icmp source <ip_servidor_nagios> destination <loopback 2> 0 icmp-
type echo #NAGIOS#
rule 220 permit icmp source 200.255.253.10 0 destination <loopback 2> 0 icmp-type
echo #GRB#
rule 230 permit icmp source 200.255.253.11 0 destination <loopback 2> 0 icmp-type
echo #GRB#
rule 240 permit icmp source <ip_coletora_visium> 0 destination <loopback 2> 0
icmp-type echo #VISIUM#
#DHCP#
rule 250 permit udp source <rede_front_operação> <wild_mask> destination-port eq
bootps
rule 260 permit udp source <rede_front_operação> <wild_mask> destination-port eq
bootpc
#DENY GW#
rule 270 deny ip source any destination <gw_cpe_nat_1> 0
rule 280 deny ip source any destination <gw_cpe_1> 0
rule 290 deny ip source any destination <gw_cpe_netfone_1> 0
#TRAFFIC CPE#
rule 300 permit ip source any destination <rede_cpe_nat_1> <wild_mask>
rule 310 permit ip source any destination <rede_cpe_1> <wild_mask>
rule 320 permit ip source any destination <rede_cpe_netfone_1> <wild_mask>
- ACL 111
acl 3111
description "Cable ACL Inbound"
#PERMIT DHCP#
rule 10 permit udp destination-port eq bootps
rule 20 permit udp destination-port eq bootpc
#DENY OF PORTS#
rule 30 deny tcp destination-port range 135 139
rule 40 deny udp destination-port range 135 netbios-ssn
rule 50 deny tcp destination-port eq 445
rule 60 deny udp destination-port eq 445
rule 70 deny tcp destination-port eq 1900
rule 80 deny udp destination-port eq 1900
rule 90 deny udp destination-port eq 3306
rule 100 deny tcp destination-port eq 3306
#DENY INTERNAL AND MULTICAST NETWORKS#
rule 110 deny ip destination 10.0.0.0 0.255.255.255
rule 120 deny ip destination 169.254.0.0 0.0.255.255
rule 130 deny ip destination 172.16.0.0 0.15.255.255
rule 140 deny ip destination 192.0.2.0 0.0.0.255
rule 150 deny ip destination 192.168.0.0 0.0.255.255
rule 160 deny ip destination 127.0.0.0 0.255.255.255
rule 170 deny ip destination 224.0.0.0 15.255.255.255
rule 180 deny ip destination 240.0.0.0 15.255.255.255
#ICMP#
rule 190 deny icmp icmp-type echo destination <rede_front_operação> <wild_mask>
#FRONT OPERAÇÃO#
rule 200 deny icmp icmp-type echo destination 201.6.4.0 0.0.0.255 #FRONT
ENGENHARIA#
rule 210 permit icmp icmp-type echo
rule 220 permit icmp icmp-type echo-reply
rule 230 permit icmp icmp-type ttl-exceeded
rule 240 permit icmp icmp-type fragmentneed-dfset
rule 250 deny icmp
#DOMAIN#
rule 260 permit tcp destination <rede_front_operação> <wild_mask> destination-port
eq domain
#DNS#
rule 270 permit udp destination <rede_front_operação> <wild_mask> destination-port
eq dns
#WWW#
rule 280 permit tcp destination <rede_front_operação> <wild_mask> destination-port
eq www
#DENY TO FRONT OPERAÇÃO#
rule 290 deny ip destination <rede_front_operação> <wild_mask>
#DENY TO FRONT ENGENHARIA#
rule 300 deny ip destination <rede_front_engenharia> <wild_mask>
#DENY GW#
rule 310 deny ip destination <gw_cpe_nat_1> 0
rule 320 deny ip destination <gw_cpe_1> 0
rule 330 deny ip destination <gw_cpe_netfone_1> 0
#PERMIT BLOCO CPE#
rule 340 permit ip source <rede_cpe_nat_1> <wild_mask> destination any
rule 350 permit ip source <rede_cpe_1> <wild_mask> destination any
rule 360 permit ip source <rede_cpe_netfone_1> <wild_mask> destination any
#DENY ALL#
rule 999 deny ip source any destination any
quit
- ACL 112
acl 3112
description "Cable ACL Outbound"
#PERMIT DHCP FRONT OPERAÇÃO#
rule 10 permit udp source <rede_front_operação> <wild_mask> destination-port eq
bootps
rule 20 permit udp source <rede_front_operação> <wild_mask> destination-port eq
bootpc
#DENY OF PORTS#
rule 30 deny tcp destination-port range 135 139
rule 40 deny udp destination-port range 135 netbios-ssn
rule 50 deny tcp destination-port eq 445
rule 60 deny udp destination-port eq 445
rule 70 deny tcp destination-port eq 1900
rule 80 deny udp destination-port eq 1900
rule 90 deny udp destination-port eq 3306
rule 100 deny tcp destination-port eq 3306
#PERMIT BLOCKS CPE#
rule 170 permit ip source any destination <rede_cpe_nat_1> <wild_mask>
rule 180 permit ip source any destination <rede_cpe_1> <wild_mask>
rule 190 permit ip source any destination <rede_cpe_netfone_1> <wild_mask>
#DENY ALL#
rule 999 deny ip source any destination any
quit
#ACLs-IPv6#
-ACL 3202
acl ipv6 3202
description "IPv6 Front"
#ACESS BLOCK INFRA/SERVER TO OLT#
rule 10 permit ipv6 source <rede_ipv6_infra> 44 destination <loopback 1> 128
rule 20 permit ipv6 source <rede_ipv6_servidores> 44 destination <loopback 1> 128
#DENY SOURCE GW#
rule 30 deny ipv6 source any destination <gw_rede_ipv6> 128
#DENY ICMP#
rule 40 deny icmpv6 icmp6-type 5 99
rule 50 deny icmpv6 icmp6-type 102 126
rule 60 deny icmpv6 icmp6-type 155 199
rule 70 deny icmpv6 icmp6-type 202 204
rule 80 deny icmpv6 icmp6-type 127 127
rule 90 deny icmpv6 icmp6-type 255 255
rule 100 deny icmpv6 icmp6-type 100 100
rule 110 deny icmpv6 icmp6-type 101 101
rule 120 deny icmpv6 icmp6-type 200 200
rule 130 deny icmpv6 icmp6-type 201 201
#DENY PORTS#
rule 140 deny tcp source any destination any source-port eq 135 destination-port
eq 135
rule 150 deny tcp source any destination any source-port eq 136 destination-port
eq 136
rule 160 deny tcp source any destination any source-port eq 137 destination-port
eq 137
rule 170 deny tcp source any destination any source-port eq 138 destination-port
eq 138
rule 180 deny tcp source any destination any source-port eq 139 destination-port
eq 139
rule 190 deny tcp source any destination any source-port eq 445 destination-port
eq 445
rule 200 deny tcp source any destination any source-port eq 1080 destination-port
eq 1080
rule 210 deny tcp source any destination any source-port eq 3128 destination-port
eq 3128
rule 220 deny tcp source any destination any source-port eq 4480 destination-port
eq 4480
rule 230 deny tcp source any destination any source-port eq 6588 destination-port
eq 6588
rule 240 deny udp source any destination any source-port eq netbios-ns
destination-port eq netbios-ns
rule 250 deny udp source any destination any source-port eq netbios-ssn
destination-port eq netbios-ssn
rule 260 deny udp source any destination any source-port eq 445 destination-port
eq 445
rule 270 deny udp source any destination any source-port eq 1900 destination-port
eq 1900
rule 280 deny tcp source any destination any source-port eq 1900 destination-port
eq 1900
rule 290 deny udp source any destination any source-port eq 3306 destination-port
eq 3306
rule 300 deny tcp source any destination any source-port eq 3306 destination-port
eq 3306
#PERMIT PD#
rule 310 permit ipv6 source any destination <rede_ipv6_PD> 48
quit
#Aplicar acls#
interface Vlanif<id_vlan_ipv4>
firewall packet-filter 3102 inbound
quit
interface Vlanif4074
firewall packet-filter 3111 inbound
firewall packet-filter 3112 outbound
quit
config
packet-filter inbound ipv6 ip-group 3202 port 0/8/0
quit