billing:nas_access_server:cisco_asr1k_2025

пример "живой" конфиг 2025 Cisco ASR из действующей сети

cisco.txt
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
service unsupported-transceiver
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level 20000000
!
hostname RR
!
boot-start-marker
boot system bootflash:asr1001x-universalk9.17.06.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging console critical
enable secret 9 xxxxxx
!
aaa new-model
!
!
aaa group server radius ISG_SRV_GROUP
 server name RAD1
 ip radius source-interface TenGigabitEthernet0/0/0.1200
!
aaa group server radius ISG_SERVICE_SRV_GROUP
 server name RAD2
 ip radius source-interface TenGigabitEthernet0/0/0.1200
!
aaa authentication login default local
aaa authorization network ISG_AUTH_LIST group ISG_SRV_GROUP 
aaa authorization subscriber-service default group ISG_SERVICE_SRV_GROUP 
aaa accounting delay-start all
aaa accounting jitter maximum 0
aaa accounting update periodic 5
aaa accounting network ISG_ACCT_LIST start-stop group ISG_SRV_GROUP
!
!
!
!
!
aaa server radius dynamic-author
 client x.x.x.x server-key 7 password 
 server-key 7 XXXXXXXXXXXXXXX
 port 3799
 auth-type any
!
aaa session-id common
clock timezone EEST 3 0
!
!
!
!
!
!
!
ip dhcp relay information option
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
subscriber authorization enable
! 
! 
! 
! 
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-XXXXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXXXX
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01 nvram:CiscoLicensi#1CA.cer
crypto pki certificate chain TP-self-signed-XXXXXXXXX
!
crypto pki certificate pool
 cabundle nvram:ios_core.p7b
!
!
license udi pid ASR1001-X sn XXXXXXXXXXXXXX
license accept end user agreement
license boot level adventerprise
memory free low-watermark processor 682835
!
!
spanning-tree extend system-id
no spanning-tree vlan 1-4000
diagnostic bootup level minimal
!
username admin privilege 15 secret 9 xxxxx
!
redundancy
 mode none
!
!
!
!
!
!
!
class-map type control match-all COND_LAST
 match timer 2MIN 
 match authen-status unauthenticated 
!
!
class-map match-all TELNET
 match access-group name TELNET
class-map match-all ICMP
 match access-group name ICMP
class-map match-all HSRP
 match access-group name HSRP
class-map match-all EIGRP
 match access-group name EIGRP
 
 
 
policy-map type control IPOE_CUSTOMERS
 class type control COND_LAST event timed-policy-expiry
  10 service disconnect
 !
 class type control always event session-start
  10 authorize aaa list ISG_AUTH_LIST password cisco identifier remote-id 
  20 set-timer 2MIN 2
 !
 class type control always event account-logoff
  10 service disconnect
 !
 class type control always event session-restart
  10 authorize aaa list ISG_AUTH_LIST password cisco identifier remote-id 
  20 set-timer 2MIN 2
 !
 
 !
!
!
policy-map COPP
 class ICMP
  police 32000 conform-action transmit  exceed-action transmit 
 class TELNET
  police 32000 conform-action transmit  exceed-action transmit 
 class EIGRP
  police 32000 conform-action transmit  exceed-action transmit 
 class HSRP
  police 32000 conform-action transmit  exceed-action transmit 
!
!
! 
!
!
!
!
!
!
!
!
!
!
!
! 
! 
!
!
interface Loopback1
 ip address x.x.x.x 255.255.255.128
 ip address x.x.x.x 255.255.192.0 secondary
 no ip redirects
 no ip unreachables
!
interface TenGigabitEthernet0/0/0
 description ##Uplink_local_1##
 mtu 9000
 no ip address
!
interface TenGigabitEthernet0/0/0.1200
 encapsulation dot1Q 1200
 ip address x.x.x.x 255.255.255.248
 no ip redirects
 no ip unreachables
 ip nat outside
!
interface TenGigabitEthernet0/0/1
 description ##Uplink_local_2##
 mtu 9000
 no ip address
!
!
interface TenGigabitEthernet0/0/1.2000
 description ##QINQ##
 encapsulation dot1Q 2000 second-dot1q any
 ip dhcp relay information trusted
 ip dhcp relay information option-insert 
 ip unnumbered Loopback1
 ip helper-address x.x.x.x
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip verify unicast source reachable-via rx l2-src
 service-policy type control IPOE_CUSTOMERS
 ip subscriber routed
  initiator dhcp
!
interface TenGigabitEthernet0/0/1.2001
 description ##QINQ##
 encapsulation dot1Q 2001 second-dot1q any
 ip dhcp relay information trusted
 ip unnumbered Loopback1
 ip helper-address x.x.x.x
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip verify unicast source reachable-via rx l2-src
 service-policy type control IPOE_CUSTOMERS
 ip subscriber routed
  initiator dhcp
 
no ip http server
no ip http secure-server
ip forward-protocol nd
!
ip nat settings gatekeeper-size 262144
ip nat settings pap limit 30 
ip nat translation timeout 1800
ip nat translation tcp-timeout 1600
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation dns-timeout 60
ip nat translation icmp-timeout 30
ip nat translation max-entries 2000000
ip nat translation max-entries all-host 2500
no ip nat service all-algs
ip nat pool CGNAT1 x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat pool CGNAT2 x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat inside source list list-CGNAT1 pool CGNAT1 overload
ip nat inside source list list-CGNAT2 pool CGNAT2 overload
ip route x.x.x.x 255.0.0.0 Null0 254
ip route x.x.x.x 255.192.0.0 Null0 254
ip ssh maxstartups 2
ip ssh port 2024 rotary 10
ip ssh logging events
ip ssh version 2
!
ip access-list extended EIGRP
 10 permit eigrp any any
ip access-list extended HSRP
 10 permit udp any host x.x.x.x eq 1985
ip access-list extended ICMP
 10 permit icmp any any
ip access-list extended TELNET
 10 permit tcp any any eq telnet
ip access-list extended list-CGNAT1
 10 permit tcp x.x.x.x 0.0.63.255 any
 20 permit udp x.x.x.x 0.0.63.255 any
 30 permit icmp x.x.x.x 0.0.63.255 any
 40 deny   ip any any
ip access-list extended list-CGNAT2
 10 permit tcp x.x.x.x 0.0.63.255 any
 20 permit udp x.x.x.x 0.0.63.255 any
 30 permit icmp x.x.x.x 0.0.63.255 any
 40 deny   ip any any
!
ip access-list extended 110
 10 permit tcp x.x.x.x 0.0.63.255 any eq www
 20 permit tcp x.x.x.x 0.0.63.255 any eq www
ip access-list extended 130
 10 permit tcp host x.x.x.x any
 20 permit tcp any host x.x.x.x
 30 permit udp host x.x.x.x any
 40 permit udp any host x.x.x.x
 
!
!
!
!
radius-server attribute 44 include-in-access-req default-vrf
no radius-server attribute 77 include-in-acct-req
no radius-server attribute 77 include-in-access-req
radius-server attribute 8 include-in-access-req
radius-server attribute nas-port format e QQQQQQQQQQQQQQQQVVVVVVVVVVVVVVVV
radius-server attribute 31 mac format unformatted
radius-server unique-ident 73
radius-server key 7 XXXXXXXXXXXXX
radius-server vsa send cisco-nas-port
!
radius server RAD1
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 7 XXXXXXXXXXXXXXXXXX
!
radius server RAD2
 address ipv4 x.x.x.x auth-port 1912 acct-port 1913
 key 7 XXXXXXXXXXXXXXXXXX
!
!
control-plane
 service-policy input COPP
!
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 20 0
 privilege level 15
 logging synchronous
 rotary 10
 transport input none
line vty 5 15
 transport input none
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
!
end
  • billing/nas_access_server/cisco_asr1k_2025.txt
  • Последнее изменение: 4 нед. назад
  • alexd