Documente Academic
Documente Profesional
Documente Cultură
ATENTIE!! serviciile sunt transportate prin UPC – in capatul de la client, portul UPC trebuie sa fie in mod trunk– cu
permiterea VLAN/VLAN-urilor locale. Perechea de VLAN-uri alocata este:
a.a.a.a
LAN NET - 255.255.255.0 192.168.1.1 *Net Team
VLAN
VLAN LOCAL UPC UPC B2B Access Network Ip Address Port OBS
VDF
*Net Team *IST UPC *IST UPC *IST UPC *IST UPC Cine completeaza
n.a. 111 XXXX Tehnopolis_Bis 172.25.231.5 NET IP UPC
Gi1/0/25
4
999 1500 dddd Tehnopolis_Bis 172.25.231.5 VPN Mng
Gi1/0/25
4
Company Confidential
C2 General Page 1
Protocol rutare retea
Serviciu
UPC
NET Static
Mng Static
Catre O&M:
● UPC trebuie sa defineasca VLAN-ul de management dddd si sa routeze l.l.l.l prin m.m.m.m
COMENTARII:
Documentele necesare se pot descarca, folosind orice browser WEB, de la adresa : ftp.net-
team.ro , utilizand pentru logare :
user: focontractor
passwd: XLTKhZz9mte
La client:
- se va conecta FO existenta in locatie in portul GE 0/0/4 al routerului. In functie de ce
se instaleaza in locatie (MC/SFP) se va seta portul de WAN GE 0/0/4 conform
tabelului;
- LAN client INTERNET se va cabla in oricare din porturile GE0/0/0 – GE0/0/3 ale
routerului.
Peste 100 Mb, este necesara cablare conform standard Ethernet categoria 6 !!
SSID = WiFi
Parola_Wifi = Vodafone@1234
Company Confidential
C2 General Page 2
================================================================
reset saved-configuration
y
reboot
n
y
================================================================
2. Configurare initiala – OBLIGATORIE !!!
User:admin
Pass:admin@huawei.com
La prompt-ul: “Warning: The default password poses security risks.” Se raspunde cu “Y”
Se seteaza noua parola Vdf@1234
La prompt-ul de autoconfig “Do you want to stop Auto-Config” se raspunde cu “y”
===============================================================
#
clock timezone Europe/Bucharest add 02:00:00
clock daylight-saving-time Europe/Bucharest repeating 3:0 last Sun Mar 4:0 last Sun Oct 01:00 2017 2037
#
sys
voice
service-mode sipag
quit
#
undo interface Vlanif1
#
aaa
local-user rhifield password irreversible-cipher AsLvFqyUDHyOR6r
y
local-user rhifield privilege level 15
local-user rhifield service-type terminal
local-user y1mhnsa password irreversible-cipher $1a$8:>8@G+U*;$`.T[1=8bL,R+T(SEe_@;}atG)P3AiU}Pd!!b~PR8$
local-user y1mhnsa privilege level 15
local-user y1mhnsa service-type terminal ssh
undo local-aaa-user password policy administrator
quit
quit
#
reboot
y
y
=======================================================
3. Configurare
Company Confidential
C2 General Page 3
!!!!!!asteptati repornirea si apoi re-intrati cu user rhifield pass AsLvFqyUDHyOR6r
=======================================================
sys
sysname APLUS_EMBEDDED_SOFTWARE_SRL_IS
#
icmp rate-limit enable
icmp rate-limit threshold 500
#
ip vpn-instance VPN_MNG
ipv4-family
route-distinguisher 99:99
vpn-target 99:99 export-extcommunity
vpn-target 99:99 import-extcommunity
quit
#
acl number 2030
rule permit source 172.19.6.40 0.0.0.0
rule permit source 172.19.8.40 0.0.0.0
rule permit source 10.241.116.17 0.0.0.0
rule permit source 10.241.116.18 0.0.0.0
rule permit source 10.241.116.19 0.0.0.0
rule deny source any logging
#
acl number 3099
rule permit ip source 10.101.213.189 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.249.200.253 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.249.204.253 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 172.19.6.51 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 192.168.202.30 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 217.10.194.224 0.0.0.15 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.152.170.200 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.241.116.10 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.241.116.11 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule permit ip source 10.241.117.1 0 destination 10.19.57.28 0 vpn-instance VPN_MNG logging
rule deny ip logging
quit
#
# ATENTIE !!! Portul de WAN se config. conform tabelului de mai jos (de catre echipa din
teren) :
Company Confidential
C2 General Page 4
#
#
interface GigabitEthernet0/0/4.999
description WAN-VDF_MGMT
ip binding vpn-instance VPN_MNG
ip address 10.101.213.190 255.255.255.252
dot1q termination vid 1500
undo icmp redirect send
undo icmp port-unreachable send
quit
#
interface LoopBack100
description Interfata_mng
ip binding vpn-instance VPN_MNG
ip address 10.19.57.28 255.255.255.255
quit
#
info-center enable
info-center source default channel loghost log level informational
info-center loghost source LoopBack 100
info-center loghost 192.168.202.9 vpn-instance VPN_MNG channel loghost
info-center loghost 192.168.202.9 vpn-instance VPN_MNG channel loghost port 514
info-center loghost 192.168.202.17 vpn-instance VPN_MNG
#
snmp-agent sys-info location ?APLUS_EMBEDDED_SOFTWARE_SRL
snmp-agent sys-info version v3
snmp-agent group v3 VDFMonitoring privacy
snmp-agent server-source -i Loopback 100
#
snmp-agent trap enable
y
snmp-agent target-host trap-hostname snmp1 address 172.19.6.40 udp-port 162 vpn-instance VPN_MNG trap-paramsname snmp
snmp-agent target-host trap-hostname snmp2 address 172.19.8.40 udp-port 162 vpn-instance VPN_MNG trap-paramsname snmp
#
ip route-static vpn-instance VPN_MNG 0.0.0.0 0.0.0.0 10.101.213.189
#
undo http server enable
y
undo http secure-server enable
y
undo http secure-server ssl-policy
#
undo telnet server enable
undo tftp server enable
undo autoconfig enable
undo lldp enable
#
ssh server permit interface all
#DACA routerul da eroare la comanda de mai sus, se va ignora - este OK
#
stelnet server enable
undo ssh server compatible-ssh1x enable
#
factory-configuration prohibit
#
cpu-defend policy devicesafety
packet-type arp-request rate-limit 256
packet-type dhcp-client priority 3
application-apperceive packet-type ftp rate-limit 2000
Company Confidential
C2 General Page 5
#
cpu-defend-policy devicesafety
#
set cpu-usage threshold 90
#
header login information <
ATENTIE! ACEASTA ESTE O RETEA PRIVATA! Informatiile continute in aceasta retea si echipamente sunt private si apartin in intregime
proprietarului.Daca nu sunteti autorizati deconectati-va imediat!Toate tentativele de acces neautorizat vor fi sanctionate conform legii.
<
#
#
ntp-service enable
ntp-service unicast-server 172.19.5.128
#
ntp-service authentication enable
ntp-service unicast-server 10.237.5.21 vpn-instance VPN_MNG
ntp-service unicast-server 10.237.5.22 vpn-instance VPN_MNG
ntp-service source-interface LoopBack 100 vpn-instance VPN_MNG
#
nat alg all enable
#
#
vlan batch 10
#
dhcp enable
#
ip vpn-instance NET
ipv4-family
route-distinguisher 11:11
vpn-target 11:11 export-extcommunity
vpn-target 11:11 import-extcommunity
#
acl number 3000
rule permit ip source 192.168.1.0 0.0.0.255 destination any
#
ip pool lan_net
vpn-instance NET
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.2 192.168.1.50
dns-list 95.77.94.77 78.96.7.7 81.12.128.206 81.12.132.206
#
dns server vpn-instance NET
dns server 95.77.94.77
dns server 78.96.7.7
dns server 81.12.128.206
dns server 81.12.132.206
dns relay enable
#
undo interface Vlanif1
#
interface Vlanif10
description LAN-INTERNET
ip binding vpn-instance NET
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface GigabitEthernet0/0/0
Company Confidential
C2 General Page 6
description LAN-INTERNET
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/1
description LAN-INTERNET
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
description LAN-INTERNET
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/3
description LAN-INTERNET
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/4.1
description WAN-INTERNET
ip binding vpn-instance NET
ip address 82.208.167.6 255.255.255.0
dot1q termination vid 111
qos gts cir 76800
nat outbound 3000
undo icmp redirect send
undo icmp port-unreachable send
#
ip route-static vpn-instance NET 0.0.0.0 0.0.0.0 82.208.167.1
#
interface Wlan-Bss0
port hybrid tagged vlan 10
#
interface Wlan-Bss1
port hybrid tagged vlan 10
#
ntp-service unicast-server 192.168.242.100 vpn-instance NET
#
#
//
Parola Wifi trebuie sa respecte:
Please contain at least two of these characters upper-case letters, lower-case letters, digits, and special characters. Minim 8
caractere
//
wlan
calibrate enable auto interval 60
wmm-profile name wmm24 id 1
wmm-profile name wmm5 id 2
traffic-profile name police24 id 1
traffic-profile name police5 id 2
security-profile name sec24 id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher Vodafone@1234 encryption-method ccmp
security-profile name sec5 id 2
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher Vodafone@1234 encryption-method ccmp
service-set name serv24 id 0
Wlan-Bss 0
Company Confidential
C2 General Page 7
ssid APLUS_EMBEDDED_SOFTWARE_SRL_2.4
traffic-profile id 1
security-profile id 1
service-set name serv5 id 1
Wlan-Bss 1
ssid APLUS_EMBEDDED_SOFTWARE_SRL_5
traffic-profile id 2
security-profile id 2
radio-profile name radi24 id 1
wmm-profile id 1
guard-interval-mode short
undo legacy-station enable
radio-profile name radio5 id 2
wmm-profile id 2
guard-interval-mode short
undo legacy-station enable
#
interface Wlan-Radio0/0/0
undo radio-profile
radio-profile id 1
channel 40MHz-minus 8
service-set id 0 wlan 1
#
interface Wlan-Radio0/0/1
radio-profile id 2
channel 80MHz 64
service-set id 1 wlan 2
quit
#
undo interface Wlan-Bss7
#
#
hwtacacs-server template ISE
hwtacacs-server timer response-timeout 15
hwtacacs-server authentication 10.249.198.210 vpn-instance VPN_MNG shared-key cipher %^%#&2XN>&cbCI<4|h3{q5XPnv`#Y\_7D.KATa,$dIM6%^%#
hwtacacs-server authentication 10.249.198.218 vpn-instance VPN_MNG secondary shared-key cipher %^%#[V})LpNL[I,W^xJ~q0|7A3W]J"~l`MtSj36e_nY,%^%#
hwtacacs-server authorization 10.249.198.210 vpn-instance VPN_MNG shared-key cipher %^%#8/V'Ke]!\M-Jn}W~Fwe9S=&_/A|*Q%xVu"P&rp.$%^%#
hwtacacs-server authorization 10.249.198.218 vpn-instance VPN_MNG secondary shared-key cipher %^%#@0L`OTxuAIytbD~]u@+8SFo9~o@EmM.@b]K(Gj\0%^%#
hwtacacs-server accounting 10.249.198.210 vpn-instance VPN_MNG shared-key cipher %^%#<V#j%9.\hEv)Bx7nFXtSOl_4WOW{KAdle6Og^P~1%^%#
hwtacacs-server accounting 10.249.198.218 vpn-instance VPN_MNG secondary shared-key cipher %^%#>Yl#Z!HFnI06lt5z^oVK/C}PEjK2HJA{XkWB;sS6%^%#
hwtacacs-server source-ip source-loopback 100
undo hwtacacs-server user-name domain-included
quit
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authentication-scheme ISE
authentication-mode hwtacacs local
authorization-scheme default
authorization-mode local
authorization-scheme Autorizare
authorization-mode hwtacacs local
accounting-scheme default
accounting-mode none
accounting-scheme aaa
accounting-mode hwtacacs
quit
undo local-aaa-user password policy administrator
service-scheme aaa
Company Confidential
C2 General Page 8
admin-user privilege level 15
quit
domain default
authentication-scheme default
accounting-scheme default
quit
domain default_admin
authentication-scheme default
accounting-scheme default
quit
domain tacacs
authentication-scheme ISE
accounting-scheme aaa
authorization-scheme Autorizare
service-scheme aaa
radius-server default
hwtacacs-server ISE
quit
undo local-user admin
quit
#
domain tacacs admin
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
acl 3099 inbound
protocol inbound ssh
quit
#
quit
#
save
y
#
#
sys
aaa
undo local-user rhifield
quit
#
snmp-agent usm-user v3 <SNMPuser> group VDFMonitoring acl 2030
snmp-agent usm-user v3 <SNMPuser> authentication-mode sha2-256
<SNMPpass>
<SNMPpass>
snmp-agent usm-user v3 <SNMPuser> privacy-mode aes128
<passcrypt>
<passcrypt>
#
quit
save
y
Company Confidential
C2 General Page 9
#
Company Confidential
C2 General Page 10