このところIX2k/3kの話題も落ち着いてきたようですが備忘録を兼ねて
NTTフレッツ/マルチPPPoEでの2-ISPマルチホーミング設定のサンプルコンフィグ。
## host名設定
hostname hogehoge
## タイムゾーン設定
timezone +09 00
## ユーザー設定
username admin password hash XXXXXXXXXXXXXX administrator
## NTP設定 (MFEED)
ntp ip enable
ntp server 210.173.160.27
ntp server 210.173.160.57
ntp server 210.173.160.87
ntp interval 3600
## syslog設定
logging buffered 131072
logging subsystem all warn
logging timestamp datetime
## UFSキャッシュ有効化
ip ufs-cache max-entries 20000
ip ufs-cache enable
## FaE0/0.1 と FaE0/0.2 (PPPoEセッション)にてマルチホーミング
ip route default FastEthernet0/0.1 distance 200
ip route default FastEthernet0/0.2 distance 100
## フレッツスクエア経路 (セッション数不足で未使用)
ip route 220.210.194.0/25 FastEthernet0/0.3
## DHCP有効
ip dhcp enable
## ACL設定
ip access-list all-block deny ip src any dest any
ip access-list all-forward permit ip src any dest any
# ACL設定 / マルチホーミングのDNSアクセス制御
ip access-list isp1-dns permit tcp src any sport any dest /16 dport eq 53
ip access-list isp2-dns permit tcp src any sport any dest /16 dport eq 53
# ACL設定 / マネージメント制御
ip access-list management permit ip src 192.168.100.0/16 dest any
ip access-list management permit ip src 192.168.200.0/16 dest any
ip access-list management permit ip src 192.168.300.0/16 dest any
# ACL設定 / NetBIOSフィルタ
ip access-list nb-block deny tcp src any sport eq 135 dest any dport any
ip access-list nb-block deny tcp src any sport any dest any dport eq 135
ip access-list nb-block deny tcp src any sport range 137 139 dest any dport any
ip access-list nb-block deny tcp src any sport any dest any dport range 137 139
ip access-list nb-block deny tcp src any sport any dest any dport eq 445
ip access-list nb-block deny tcp src any sport eq 445 dest any dport any
# ACL設定 / Policy Based Routing
ip access-list pbr-in-list permit ip src any dest 10.0.0.0/8
ip access-list pbr-in-list permit ip src any dest 172.16.0.0/12
ip access-list pbr-in-list permit ip src any dest 192.168.0.0/16
ip access-list pbr-out-list permit ip src 192.168.200.1/32 dest any
ip access-list pbr-out-list permit tcp src 192.168.300.251/32 sport eq 22 dest any dport any
## DNSキャッシュ無効
no dns cache address-database
## DNS Proxy設定
proxy-dns ip enable
proxy-dns ip query-interval 1
proxy-dns interface FastEthernet0/0.1 priority 200
proxy-dns interface FastEthernet0/0.2 priority 150
## Telnet有効
telnet-server ip enable
telnet-server ip access-list management
## マルチホーミング経路制御
#DNSアクセス制御(100/200)
route-map pbr-map permit 100
match ip address access-list isp1-dns
set interface FastEthernet0/0.2
!
route-map pbr-map permit 200
match ip address access-list isp2-dns
set interface FastEthernet0/0.1
!
#特定端末のSauce based routing(400/500)
route-map pbr-map permit 400
match ip address access-list pbr-in-list
set interface Loopback0.0
set ip next-hop 192.168.200.251
!
route-map pbr-map permit 500
match ip address access-list pbr-out-list
set interface FastEthernet0/0.1
## PPPoEアカウント設定
ppp profile isp_isp1
authentication myname
authentication password
!
ppp profile isp_isp2
authentication myname
authentication password
!
ppp profile square
authentication myname guest@flets
authentication password guest@flets guest
## DHCP設定
ip dhcp profile dhcp_open
assignable-range 192.168.100.129 192.168.100.192
subnet-mask 255.255.255.0
dns-server 192.168.100.254
fixed-assignment 192.168.100.160 AA:BB:CC:DD:EE:FF ##固定割り当て
!
ip dhcp profile dhcp_local
assignable-range 192.168.200.129 192.168.200.192
subnet-mask 255.255.255.0
dns-server 192.168.200.254
!
ip dhcp profile dhcp_tech
assignable-range 192.168.300.129 192.168.300.192
subnet-mask 255.255.255.0
dns-server 192.168.300.253
## 物理インターフェイス
device FastEthernet0/0
!
device FastEthernet0/1
!
device FastEthernet1/0
vlan-group 1 port 1
vlan-group 2 port 2 3
vlan-group 3 port 4
!
device BRI1/0
isdn switch-type hsd128k
## 論理インターフェイス
interface FastEthernet0/0.0
no ip address
shutdown
!
interface FastEthernet0/1.0
no ip address
shutdown
!
interface FastEthernet1/0.0
no ip address
shutdown
!
interface BRI1/0.0
encapsulation ppp
no auto-connect
no ip address
shutdown
!
# ISP1-PPPoE設定
interface FastEthernet0/0.1
encapsulation pppoe
auto-connect
ppp binding isp_isp2
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
ip napt translation max-entries 25000
ip napt static 192.168.200.1 tcp 5800
ip napt static 192.168.200.1 tcp 5900
ip napt service ssh-trans 192.168.200.1 22 tcp 10022
ip filter nb-block 1 in
ip filter all-forward 65535 in
ip filter all-forward 65535 out
no shutdown
!
# ISP2-PPPoE設定
interface FastEthernet0/0.2
encapsulation pppoe
auto-connect
ppp binding isp_isp1
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
ip napt translation max-entries 25000
ip napt translation max-entries 25000
ip napt static 192.168.200.1 tcp 5800
ip napt static 192.168.200.1 tcp 5900
ip napt service ssh-trans 192.168.200.1 22 tcp 10022
ip filter nb-block 1 in
ip filter all-forward 65535 in
ip filter all-forward 65535 out
no shutdown
!
# フレッツスクエア-PPPoE設定 (未使用)
interface FastEthernet0/0.3
encapsulation pppoe
auto-connect
ppp binding square
ip address ipcp
ip mtu 1454
ip tcp adjust-mss auto
ip napt enable
ip filter nb-block 1 in
ip filter all-forward 65535 in
ip filter all-forward 65535 out
shutdown
!
interface FastEthernet1/0.1
encapsulation pppoe
auto-connect
no ip address
shutdown
!
interface FastEthernet1/0.2
encapsulation pppoe
auto-connect
no ip address
shutdown
!
# VLAN-Group1
interface FastEthernet1/0:1.0
description OPEN-NET
ip address 192.168.100.254/24
ip mtu 1454
ip tcp adjust-mss 1414
ip dhcp binding dhcp_open
ip policy route-map pbr-map
no shutdown
!
# VLAN-Group2
interface FastEthernet1/0:2.0
description LOCAL-NET
ip address 192.168.200.254/24
ip mtu 1454
ip tcp adjust-mss 1414
ip dhcp binding dhcp_local
ip policy route-map pbr-map
no shutdown
!
# VLAN-Group3
interface FastEthernet1/0:3.0
description TECH-NET
ip address 192.168.300.253/24
ip mtu 1454
ip tcp adjust-mss 1414
ip dhcp binding dhcp_tech
ip policy route-map pbr-map
no shutdown
!
interface Loopback0.0
ip address 127.0.0.1/32
!
interface Null0.0
no ip address