-
Notifications
You must be signed in to change notification settings - Fork 2
/
Updated 1101 Combined Basic Networking for 1101.ftl
445 lines (392 loc) · 11.8 KB
/
Updated 1101 Combined Basic Networking for 1101.ftl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
<#-- Begin eCVD template -->
<#-- Version 1.5 -->
<#-- Default BootStrap Configuration -->
<#assign sublist = "${far.eid}"?split("+")[0..1]>
<#assign pid = sublist[0]>
<#assign model = pid[0..4]>
<#assign sn = sublist[1]>
<#assign model = "IR1101">
<#assign ether_if = "GigabitEthernet 0/0/0">
<#assign cell_if = "Cellular 0/1/0">
<#-- Interface Menu -->
<#assign FastEthernet1 = "${far.fastEthernet1}">
<#assign FastEthernet2 = "${far.fastEthernet2}">
<#assign FastEthernet3 = "${far.fastEthernet3}">
<#assign FastEthernet4 = "${far.fastEthernet4}">
<#-- WAN Menu -->
<#if far.apn?has_content>
<#assign APN = "${far.apn}">
</#if>
<#-- Set default interface -->
<#if far.cell0Priority == "1">
<#assign EthernetPriority = 102>
<#assign Cell0Priority = 101>
<#else>
<#assign EthernetPriority = 101>
<#assign Cell0Priority = 102>
</#if>
<#-- LAN Menu -->
<#assign lanIP = "${far.lanIPAddress}"?split(".")>
<#assign lanNet = "${far.lanNetmask}"?split(".")>
<#-- Network Menu -->
<#-- VPN Settings Menu -->
<#assign herIpAddress = "${far.herIpAddress}">
<#assign herPsk = "${far.herPsk}">
<#if far.backupHerIpAddress?has_content>
<#assign backupHerIpAddress = "${far.backupHerIpAddress}">
<#if far.backupHerPsk?has_content>
<#assign backupHerPsk = "${far.backupHerPsk}">
<#else>
<#assign backupHerPsk = "nodefaultPSK">
</#if>
</#if>
<#-- Device Settings Menu -->
<#if far.localDomainName?has_content>
<#assign domainName = "${far.localDomainName}">
<#else>
<#assign domainName = "local">
</#if>
<#-- Assign Umbrella DNS servers for additional Security -->
<#assign DNSIP = "208.67.222.222 208.67.220.220">
<#if far.clockTZ?has_content>
<#assign clockTZ = "${far.clockTZ}">
<#else>
<#assign clockTZ = "edt">
</#if>
<#-- assign clockDST = "${far.clockDST}"-->
<#if far.ntpIP?has_content>
<#assign ntpIP = "${far.ntpIP}">
<#else>
<#assign ntpIP = "time.nist.gov">
</#if>
<#-- Calculate Netmasks -->
<#assign lan_ip=[] lan_netmask=[]>
<#-- Binary Conversion of LAN IP-->
<#list lanIP as lann>
<#assign lan=lann?number>
<#list 1..100 as y>
<#if lan < 1>
<#if lan == 0>
<#list 1..8 as s> <#assign lan_ip=lan_ip+["0"]> </#list> </#if>
<#if lan_ip?size % 8 != 0> <#list 1..8 as s> <#assign lan_ip=lan_ip+["0"]> <#if lan_ip?size % 8 == 0> <#break> </#if> </#list> </#if>
<#assign ip_bit = lan_ip?reverse> <#break> </#if>
<#assign x=lan%2 st=x?string lan_ip=lan_ip+[st] lan=lan/2> </#list></#list>
<#-- Binary Conversion of NetMask-->
<#list lanNet as lann>
<#assign lan=lann?number>
<#list 1..100 as y>
<#if lan < 1 >
<#if lan == 0>
<#list 1..8 as s> <#assign lan_netmask=lan_netmask+["0"]> </#list> </#if>
<#if lan_netmask?size % 8 != 0>
<#list 1..8 as s> <#assign lan_netmask=lan_netmask+["0"]> <#if lan_netmask?size % 8 == 0> <#break>
</#if> </#list> </#if>
<#assign subnet_bit= lan_netmask?reverse> <#break> </#if>
<#assign x=lan%2 st=x?string lan_netmask=lan_netmask+[st] lan=lan/2> </#list> </#list>
<#-- Logical AND operation between IP and NetMask-->
<#assign lan_netID=[]>
<#list ip_bit as rev_index>
<#if rev_index?string == "1" && subnet_bit[rev_index?index] == "1"><#assign lan_netID=lan_netID+["1"]></#if>
<#if rev_index?string == "1" && subnet_bit[rev_index?index] == "0"><#assign lan_netID=lan_netID+["0"]></#if>
<#if rev_index?string == "0" && subnet_bit[rev_index?index] == "1"><#assign lan_netID=lan_netID+["0"]></#if>
<#if rev_index?string == "0" && subnet_bit[rev_index?index] == "0"><#assign lan_netID=lan_netID+["0"]></#if>
</#list>
<#assign netid_bit=lan_netID?reverse>
<#--Binary to Decimal conversion of Logical AND product-->
<#assign netid=[]>
<#list netid_bit?chunk(8) as row> <#assign num=0 pow=1> <#list row as bit> <#assign num=num+pow*bit?number pow=pow*2> </#list>
<#assign netid=netid+[num]>
</#list>
<#--Network Address-->
<#assign lanNtwk = netid?join(".")?string>
<#assign lanWild = "${(255 - (lanNet[0])?number)?abs}.${(255 - (lanNet[1])?number)?abs}.${(255 - (lanNet[2])?number)?abs}.${(255 - (lanNet[3])?number)?abs}">
<#-- Configure timezone offset -->
<#assign TZ = { "anat":"+12", "sbt":"+11", "aest":"+10", "jst":"+9", "cst":"+8", "wib":"+7", "bst":"+6", "uzt":"+5", "gst":"+4", "msk":"+3", "cest":"+2", "bst":"+1", "gmt":"0", "cvt":"-1", "wgst":"-2", "art":"-3", "edt":"-4", "cdt":"-5", "mst":"-6", "pdt":"-7", "akdt":"-8", "hdt":"-9", "hst":"-10", "nut":"-11", "aeo":"-12" }>
<#list TZ as x, y >
<#if x != clockTZ>
<#continue>
<#else>
<#assign offset = y>
</#if>
</#list>
<#-- Configure Device Settings -->
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
no logging console
!
clock timezone ${clockTZ} ${offset}
ntp server ${ntpIP}
!
ip name-server ${DNSIP}
ip domain name ${domainName}
<#-- Exclude the first 5 IP addresses of the LAN -->
<#assign gwips = far.lanIPAddress?split(".")>
<#assign nwk_suffix = (gwips[3]?number / 32)?int * 32>
<#assign nwk_addr = gwips[0] + "." + gwips[1] + "." + gwips[2] + "." + (nwk_suffix + 5)>
ip dhcp excluded-address ${far.lanIPAddress} ${nwk_addr}
!
ip dhcp pool subtended
network ${lanNtwk} ${far.lanNetmask}
default-router ${far.lanIPAddress}
dns-server ${DNSIP}
lease 0 0 10
!
!
<#list far.Users as user >
username ${user['userName']} privilege ${user['userPriv']} algorithm-type scrypt secret ${user['userPassword']}
</#list>
!
<#-- S2S VPN Configuration -->
!
<#if !section.vpn_primaryheadend?? || section.vpn_primaryheadend == "true">
crypto ikev2 authorization policy CVPN
route set interface
route accept any distance 70
!
crypto ikev2 keyring Flex_key
!
peer ${herIpAddress}
address ${herIpAddress}
identity key-id ${herIpAddress}
pre-shared-key ${herPsk}
!
<#if !section.vpn_backupheadend?? || section.vpn_backupheadend == "true">
peer ${backupHerIpAddress}
address ${backupHerIpAddress}
identity key-id ${backupHerIpAddress}
pre-shared-key ${backupHerPsk}
!
</#if>
!
!
crypto ikev2 profile CVPN_I2PF
match identity remote key-id ${herIpAddress}
<#if !section.vpn_backupheadend?? || section.vpn_backupheadend == "true">
match identity remote key-id ${backupHerIpAddress}
</#if>
identity local email ${sn}@iotspdev.io
authentication remote pre-share
authentication local pre-share
keyring local Flex_key
dpd 29 2 periodic
aaa authorization group psk list CVPN CVPN
!
!
crypto ipsec profile CVPN_IPS_PF
set ikev2-profile CVPN_I2PF
!
!
interface Tunnel2
ip address negotiated
ip mtu 1358
ip nat outside
ip tcp adjust-mss 1318
tunnel source dynamic
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel path-mtu-discovery
tunnel protection ipsec profile CVPN_IPS_PF
!
!
crypto ikev2 client flexvpn Tunnel2
peer 1 ${herIpAddress}
<#if !section.vpn_backupheadend?? || section.vpn_backupheadend == "true">
peer 2 ${backupHerIpAddress}
</#if>
<#if EthernetPriority == 101>
source 1 ${ether_if} track 30
source 2 ${cell_if} track 40
<#else>
source 1 ${cell_if} track 40
source 2 ${ether_if} track 30
</#if>
client connect Tunnel2
!
!
</#if>
<#-- interface priorities -->
ip sla 30
icmp-echo 208.67.222.222 source-interface ${ether_if}
frequency 10
!
ip sla schedule 30 life forever start-time now
ip sla 40
icmp-echo 208.67.220.220 source-interface ${cell_if}
frequency 50
!
ip sla schedule 40 life forever start-time now
track 5 interface ${ether_if} line-protocol
!
track 7 interface ${cell_if} line-protocol
!
track 30 ip sla 30 reachability
!
track 40 ip sla 40 reachability
!
<#-- Enable GPS and Gyroscope -->
controller ${cell_if}
lte gps mode standalone
lte gps nmea
!
interface ${ether_if}
ip dhcp client route track 30
ip address dhcp
no shutdown
ip nat outside
!
!
interface ${cell_if}
ip address negotiated
ip nat outside
dialer in-band
dialer idle-timeout 0
dialer-group 1
pulse-time 1
!
!
interface Vlan1
ip address ${far.lanIPAddress} ${far.lanNetmask}
ip nbar protocol-discovery
ip nat inside
ip verify unicast source reachable-via rx
!
!
<#-- enabling/disabling of ethernet ports -->
interface FastEthernet0/0/1
<#if FastEthernet1 != "true">
shutdown
<#else>
no shutdown
</#if>
!
interface FastEthernet0/0/2
<#if FastEthernet2 != "true">
shutdown
<#else>
no shutdown
</#if>
!
interface FastEthernet0/0/3
<#if FastEthernet3 != "true">
shutdown
<#else>
no shutdown
</#if>
!
interface FastEthernet0/0/4
<#if FastEthernet4 != "true">
shutdown
<#else>
no shutdown
</#if>
interface Async0/2/0
no ip address
encapsulation scada
!
<#-- Enable IOx -->
iox
<#-- Configure NAT and routing -->
ip forward-protocol nd
!
ip nat inside source route-map RM_WAN_ACL interface ${cell_if} overload
ip nat inside source route-map RM_WAN_ACL2 interface ${ether_if} overload
<#-- Use default i/f to set PAT -->
<#list far.portForwarding as PAT>
<#if PAT['protocol']?has_content>
<#if EthernetPriority == 101>
ip nat inside source static ${PAT['protocol']} ${PAT['privateIP']} ${PAT['localPort']} interface ${ether_if} ${PAT['publicPort']}
<#else>
ip nat inside source static ${PAT['protocol']} ${PAT['privateIP']} ${PAT['localPort']} interface ${cell_if} ${PAT['publicPort']}
</#if>
</#if>
</#list>
<#-- remove this route from the bootstrap config to allow failover -->
no ip route 0.0.0.0 0.0.0.0 ${cell_if} 100
<#-- add IPSLA tracking to allow i/f failover -->
ip route 0.0.0.0 0.0.0.0 ${ether_if} dhcp ${EthernetPriority}
ip route 0.0.0.0 0.0.0.0 ${cell_if} ${Cell0Priority} track 7
ip route 208.67.222.222 255.255.255.255 dhcp
ip route 208.67.220.220 255.255.255.255 ${cell_if} track 7
ip route 208.67.220.220 255.255.255.255 Null0 3
ip route 208.67.222.222 255.255.255.255 Null0 3
<#if !section.vpn_primaryheadend?? || section.vpn_primaryheadend == "true">
ip route ${herIpAddress} 255.255.255.255 ${ether_if} dhcp
<#if backupHerIpAddress?has_content>
ip route ${backupHerIpAddress} 255.255.255.255 ${ether_if} dhcp
</#if>
</#if>
!
ip nat inside source route-map RM_Tu2 interface Tunnel2 overload
!
ip ssh rsa keypair-name SSHKEY
ip ssh version 2
ip scp server enable
!
ip access-list extended filter-internet
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any packet-too-big
permit icmp any any ttl-exceeded
permit udp any eq bootps host 255.255.255.255 eq bootpc
<#if !section.vpn_primaryheadend?? || section.vpn_primaryheadend == "true">
permit esp host ${herIpAddress} any
<#if backupHerIpAddress?has_content>
permit esp host ${backupHerIpAddress} any
</#if>
</#if>
!
ip access-list extended NAT_ACL
permit ip ${lanNtwk} ${lanWild} any
permit ip ${nwk_addr} 0.0.0.31 any
!
route-map RM_Tu2 permit 10
match ip address NAT_ACL
match interface Tunnel2
!
dialer-list 1 protocol ip permit
!
!
route-map RM_WAN_ACL permit 10
match ip address NAT_ACL
match interface ${cell_if}
!
route-map RM_WAN_ACL2 permit 10
match ip address NAT_ACL
match interface ${ether_if}
!
line vty 0 4
exec-timeout 5 0
length 0
transport input ssh
!
<#-- Improve WAN failover performance -->
event manager applet Eth-to-cell-failover
event track 30 state any
action 0.1 syslog msg "Gig0/0/0 connecitivity change. Clearing NAT translations."
action 0.2 cli command "enable"
action 1.0 cli command "clear ip nat translation *"
event manager applet Cell-to-eth-failover
event track 40 state any
action 0.1 syslog msg "Cell0/1/0 connectivity change. Clearing NAT translations."
action 0.2 cli command "enable"
action 1.0 cli command "clear ip nat translation *"
<#-- Set APN -->
<#if APN?has_content>
event manager applet change_apn
event timer countdown time 10
action 5 syslog msg "Changing APN Profile"
action 10 cli command "enable"
action 15 cli command "${cell_if} lte profile create 1 ${APN}" pattern "confirm"
action 20 cli command "y"
!
!
</#if>
<#-- End eCVD template -->