cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2163
Views
45
Helpful
23
Replies

need to check my configuration

amralrazzaz
Level 5
Level 5

dear all

 

i need to share my configuration for my router isr 2911 .... im doing new configuration for the new office relocation and need your advice if any thing need to be change or deleted or unnecessary  commands 

if you have any idea or if its fine with no issue ?

 

please check nw diagram 

 

Router#show run
Building configuration...

Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname EGCAI01
!
!
username ++++ privilege 15 secret 5 +++++
enable secret ++++


no aaa new-model
clock timezone EET 2 0

 

no ip domain-lookup
ip domain-name ++++++


ip ssh time-out 90
ip ssh version 2
ip ssh auth 3
crypto key generate rsa usage-keys modulus 2048
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.2
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.10.207
ip dhcp excluded-address 192.168.11.207
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.207

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4

ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
dns-server 213.131.65.20 213.131.66.246 ---- orange
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
interface GigabitEthernet0/0
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
description FACE-client-LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.230
description CCTV
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.250
description MGMT
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group in_guest_traffic in
ip nat inside
!
interface GigabitEthernet0/0.201
description WAN TRANSIT
encapsulation dot1Q 201
ip address 192.168.10.207 255.255.255.0
ip nat inside

interface GigabitEthernet0/0.240
description NarrowCasting
encapsulation dot1Q 201
ip address 192.168.11.207 255.255.255.0
ip nat inside

 

interface GigabitEthernet0/1
description connected to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto

 

banner motd ^C
**************************************************************************
* Unauthorized access is prohibited *
**************************************************************************
* *
* This system is to be used only by specifically authorized personnel. *
* Any unauthorized use of the system is unlawful, and may be subject *
* to civil and/or criminal penalties. *
* *
* Any use of the system may be logged or monitored without further *
* notice and resulting logs may be used as evidence in court. *
**************************************************************************


ip dns view default
dns forwarder 8.8.8.8
ip dns server


ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/1 overload
ip nat inside source list 8 interface GigabitEthernet0/1 overload
ip nat inside source list 9 interface GigabitEthernet0/1 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload


ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
ip flow-export version 9
top 60
sort-by packets
!
ip forward-protocol nd

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255
access-list 9 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255

 

ip access-list extended in_guest_traffic

permit ip host 192.168.3.2 any PRINTER
permit ip any host 192.168.3.2
permit ip host 192.168.3.1 any PRINTER
permit ip any host 192.168.3.1

deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
deny ip any 192.168.10.0 0.0.0.255
deny ip any 192.168.11.0 0.0.0.255
permit ip any any


!
no cdp run


!
!
line con 0
password cisco
login

line vty 0 4
access-class management in
exec-timeout 15 0
transport input all
logging synchronous
line vty 5 15
access-class management in
exec-timeout 15 0
transport input all
logging synchronous

!
scheduler allocate 20000 1000
ntp master
!
end

 

 

 

 

 

 

 

amr alrazzaz
23 Replies 23

Router#show run
Building configuration...

Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname EGCAI01
!
!
username ++++ privilege 15 secret 5 +++++
enable secret ++++


no aaa new-model
clock timezone EET 2 0

 

no ip domain-lookup
ip domain-name ++++++

 

logging userinfo
logging buffered 128000
logging console informational
crypto logging session
crypto logging ikev2
ip ssh logging events
ntp logging

 

ntp update-calendar
ntp server x.x.x.x prefer (take a public ntp server for example)


ip ssh time-out 90
ip ssh version 2
ip ssh auth 3
ip ssh logging events
crypto key generate rsa usage-keys modulus 2048
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.2
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.10.207
ip dhcp excluded-address 192.168.11.207
ip dhcp excluded-address 192.168.3.1
ip dhcp excluded-address 192.168.1.253
ip dhcp excluded-address 192.168.1.207

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4


ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4

ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
dns-server 213.131.65.20 213.131.66.246 ---- orange
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
interface GigabitEthernet0/0 - 
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.2
description FACE-client-LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.230
description CCTV
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.250
description MGMT
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface GigabitEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip access-group in_guest_traffic in
ip nat inside
!
interface GigabitEthernet0/0.201
description WAN TRANSIT

ip access-group WAN-in in (i will make an acl on the wan interface for security in the input direction)
encapsulation dot1Q 201
ip address 192.168.10.207 255.255.255.0
ip nat inside

interface GigabitEthernet0/0.240
description NarrowCasting
encapsulation dot1Q 201
ip address 192.168.11.207 255.255.255.0
ip nat inside

>>>>> ip access-list extended WAN-in
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
permit icmp any any
permit tcp any any established (permits only replies for traffic initiated by the inside network)
permit udp any any eq isakmp (for future use if you will use ipsec)
permit udp any any eq non500-isakmp (also ipsec)
permit esp any any (also ipsec)
permit udp any any gt 1024 (permits udp to the inside network that will regularly initiate udp traffic from a random port > 1024)
deny ip any any

 

interface GigabitEthernet0/1
description connected to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto

 

banner motd ^C
**************************************************************************
* Unauthorized access is prohibited *
**************************************************************************
* *
* This system is to be used only by specifically authorized personnel. *
* Any unauthorized use of the system is unlawful, and may be subject *
* to civil and/or criminal penalties. *
* *
* Any use of the system may be logged or monitored without further *
* notice and resulting logs may be used as evidence in court. *
**************************************************************************


ip dns view default
dns forwarder 8.8.8.8
ip dns server

 

DELETE THIS:
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source list 3 interface GigabitEthernet0/1 overload
ip nat inside source list 4 interface GigabitEthernet0/1 overload
ip nat inside source list 5 interface GigabitEthernet0/1 overload
ip nat inside source list 6 interface GigabitEthernet0/1 overload
ip nat inside source list 7 interface GigabitEthernet0/1 overload
ip nat inside source list 8 interface GigabitEthernet0/1 overload
ip nat inside source list 9 interface GigabitEthernet0/1 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload

 

REPLACE WITH: 

ip nat inside source list NAT interface GigabitEthernet0/1 overload


ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
ip flow-export version 9
top 60
sort-by packets
!
ip forward-protocol nd

DELETE:

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255
access-list 9 permit 192.168.10.0 0.0.0.255
access-list 10 permit 192.168.11.0 0.0.0.255

CONFIGURE:

ip access-list extended NAT
    permit ip 192.168.0.0 0.0.255.255 any 

 

DO ALSO THIS:

object-group network RFC-PRIVATE
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0  

 

ip access-list extended in_guest_traffic
deny ip any object-group RFC-PRIVATE
permit ip any any
...I DELETED ALL THE ACL ENTRIES FOR GUEST BECAUSE THEY WERE POINTLES..


!
no cdp run


!
!
line con 0
password cisco
login

line vty 0 4
access-class management in
exec-timeout 15 0
transport input ssh
logging synchronous
line vty 5 15
access-class management in
exec-timeout 15 0
transport input ssh
logging synchronous

!
scheduler allocate 20000 1000
ntp master
!
end

 

Dear many super thanks for your great support 

 

really appreciated

 

im just have one question regarding the guest acl , my point is to block traffic from guest to all private vlan except the printer ( 192.168.3.0/24) so the guest can only access printers vlan only 

 

so ur changes will do that ?

amr alrazzaz

No, i thought you wanted only access to internet. (this is usualy the choice for guest networks)

For that you only need to put above de deny rule a permit:

permit ip any 192.168.3.0 0.0.0.255

 

ip access-list extended in_guest_traffic

permit ip any 192.168.3.0 0.0.0.255
deny ip any object-group RFC-PRIVATE
permit ip any any
...I DELETED ALL THE ACL ENTRIES FOR GUEST BECAUSE THEY WERE POINTLES..



dear thanks a lot 

 

ntp update-calendar
ntp server x.x.x.x prefer (take a public ntp server for example)

 

from where i have public ntp server

 

i need egypt zone ?

 

amr alrazzaz

You can find on the internet one, or maybe your service provider has one. 

 

You can use this 

0.eg.pool.ntp.org

Hello,

 

in addition to the other posts, you could also shorten the access list by summarizing it as below:

 

access-list 1 permit 192.168.2.0 0.0.1.255
access-list 1 permit 192.168.4.0 0.0.3.255
access-list 1 permit 192.168.8.0 0.0.3.255

dear my friend im very grateful for ur always help and support 

 

i would ask you if u have free time to update my configuration with your inputs to and delete what ever u see its not necessary  so i have ready configuration to paste on my router

 

i would be appreciate if u can modify it on the main config , im afraid to do it and miss any thing 

 

i need the configurations to be ready please for copy and paste 

 

also do u suggest another network id or this is fine what im using 

 

iP Address:192.168.0.0
Network Address:192.168.0.0
Usable Host IP Range:192.168.0.1 - 192.168.15.254
Broadcast Address:192.168.15.255
Total Number of Hosts:4,096
Number of Usable Hosts:4,094
amr alrazzaz

can you please put your all modifications on the configuration please so ill copy paste  directly to router

amr alrazzaz
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: