1930 文字
10 分
NEC IX2015設定要点と設定サンプル
主要コマンドのメモ
時間の設定
Router(config)# timezone 9Router(config)# ntp retry 3Router(config)# ntp interval 3600Router(config)# clock 16 01 0 3 1 2010Router(config)# show clockSunday, 3 January 2010 16:01:28 +09 00ホスト名の設定(任意)
Router(config)# hostname cucu(config)#保存
Router(config)# write memoryBuilding configuration…% Warning: do NOT enter CNTL/Z while saving to avoid config corruption.Router(config)#インターフェイス状態の確認
Router(config)# show interfaces FastEthernet0/0.0Interface FastEthernet0/0.0 is administratively down Fundamental MTU is 1500 octets Current bandwidth 100M b/s, QoS is disabled Datalink header cache type is none: 0/0 (standby/dynamic) SNMP MIB-2: ifIndex is 518 Logical INTERFACE: Elapsed time after clear counters 0:11:00 0 packets input, 0 bytes, 0 errors 0 unicasts, 0 non-unicasts, 1 unknown protos 0 drops, 0 misc errors 0 output requests, 0 bytes, 0 errors 0 unicasts, 0 non-unicasts 0 overflows, 0 neighbor unreachable, 0 misc errors 1 link-up detected, 0 link-down detected Encapsulation ETHERNET: State is initialized FastEthernet status: Physical address is 00:30:13:36:ce:03 Port status is up Full-duplex, 100M b/s, 100BaseTX Promiscuous mode is disabled Statistics: Rx errors: 0 alignment errors, 0 CRC errors 0 long frames, 0 short frames, 0 overflows Tx errors: 0 single collisions, 0 multiple collisions 0 excessive collisions, 0 late collisions 0 deferred transmissions, 0 carrier sense errors 0 underflowsRouter(config)#FE0/0に固定IP設定
Router(config)# interface FastEthernet0/0.0Router(config-FastEthernet0/0.0)# ip address 192.168.0.1/24Router(config-FastEthernet0/0.0)# ipv6 address autoconfigRouter(config-FastEthernet0/0.0)# no shutdownRouter(config-FastEthernet0/0.0)# show ip addressFE0/1にDHCP設定
Router(config)# interface FastEthernet0/1.0Router(config-FastEthernet0/1.0)# ip address dhcpRouter(config-FastEthernet0/1.0)# ipv6 address autoconfigRouter(config-FastEthernet0/1.0)# no shutdownRouter(config-FastEthernet0/1.0)# show ip addressRouter(config-FastEthernet0/1.0)# ip nat enableNAT設定
Router(config)# interface FastEthernet0/1.0Router(config-FastEthernet0/1.0)# ip nat translation timeout 3600Router(config-FastEthernet0/1.0)# ip nat dynamic list lan pool abcRouter(config-FastEthernet0/1.0)# ip nat enabletelnetサーバ
Router(config)# ip access-list lan permit ip src 192.168.0.0/24 dest anyRouter(config)# telnet-server ip access-list lanRouter(config)# telnet-server ip enabledefault route設定
Router(config)# ip route default FastEthernet0/1.0 dhcpNTPサーバ設定
Router(config)# ntp server 133.27.4.121Router(config)# ntp server 210.173.160.27Router(config)# ntp ip enableDHCPサーバ設定
Router(config)# ip dhcp profile lanRouter(config-dhcp-lan)# assignable-range 192.168.0.100 192.168.0.254Router(config-dhcp-lan)# subnet-mask 255.255.255.0Router(config-dhcp-lan)# dns-server 192.168.0.1Router(config-dhcp-lan)# exitRouter(config)# ip dhcp enableRouter(config)# interface FastEthernet0/0.0Router(config-FastEthernet0/0.0)# ip dhcp binding lanRouter(config-FastEthernet0/0.0)# exitDNS proxy設定
Router(config)# dns cache enableRouter(config)# proxy-dns ip enableRouter(config)# proxy-dns ipv6 enableUFSキャッシュ有効化
UFS キャッシュ(Unified Forwarding Service Cache)は、フィルタ、NAT/NAPT、IPSec など
のサービスを使用している場合に有効な高速フォワーディングキャッシュメカニズムであり、
IX1000/2000/3000 の独自機能です。UFS キャッシュにより、フィルタの多段設定、IPSec の複
数設定等におけるスケーラビリティを向上させます。Ver4.2 以降の IPv4、IPv6 それぞれで設定
できます。Ver.4.3 以降ではポリシールーティングが、Ver.7.3以降では、QoS、ダイナミックフィ
ルタでも UFS キャッシュが適用されます。
Router(config)# ip ufs-cache enableFiltering設定
ip access-list strict-block deny tcp src any sport any dest any dport eq 137ip access-list strict-block deny udp src any sport any dest any dport eq 137ip access-list strict-block deny udp src any sport any dest any dport eq 138ip access-list strict-block deny tcp src any sport any dest any dport eq 139ip access-list strict-block deny tcp src any sport any dest any dport eq 445ip access-list strict-block deny udp src any sport any dest any dport eq 445ip access-list weak-block deny tcp src any sport any dest any dport eq 1ip access-list weak-block deny udp src any sport any dest any dport eq 1ip access-list weak-block deny tcp src any sport any dest any dport eq 11ip access-list weak-block deny udp src any sport any dest any dport eq 11ip access-list weak-block deny tcp src any sport any dest any dport eq 15ip access-list weak-block deny udp src any sport any dest any dport eq 15ip access-list weak-block deny tcp src any sport any dest any dport eq 70ip access-list weak-block deny udp src any sport any dest any dport eq 70ip access-list weak-block deny tcp src any sport any dest any dport eq 79ip access-list weak-block deny udp src any sport any dest any dport eq 79ip access-list weak-block deny tcp src any sport any dest any dport eq 87ip access-list weak-block deny udp src any sport any dest any dport eq 87ip access-list weak-block deny tcp src any sport any dest any dport eq 95ip access-list weak-block deny udp src any sport any dest any dport eq 95ip access-list weak-block deny tcp src any sport any dest any dport eq 111ip access-list weak-block deny udp src any sport any dest any dport eq 111ip access-list weak-block deny tcp src any sport any dest any dport eq 135ip access-list weak-block deny udp src any sport any dest any dport eq 135ip access-list weak-block deny tcp src any sport any dest any dport eq 144ip access-list weak-block deny udp src any sport any dest any dport eq 144ip access-list weak-block deny tcp src any sport any dest any dport eq 161ip access-list weak-block deny udp src any sport any dest any dport eq 161ip access-list weak-block deny tcp src any sport any dest any dport eq 162ip access-list weak-block deny udp src any sport any dest any dport eq 162ip access-list weak-block deny tcp src any sport any dest any dport eq 177ip access-list weak-block deny udp src any sport any dest any dport eq 177ip access-list weak-block deny tcp src any sport any dest any dport eq 220ip access-list weak-block deny udp src any sport any dest any dport eq 220ip access-list weak-block deny tcp src any sport any dest any dport eq 445ip access-list weak-block deny udp src any sport any dest any dport eq 445ip access-list weak-block deny tcp src any sport any dest any dport eq 512ip access-list weak-block deny udp src any sport any dest any dport eq 512ip access-list weak-block deny tcp src any sport any dest any dport eq 513ip access-list weak-block deny udp src any sport any dest any dport eq 513ip access-list weak-block deny tcp src any sport any dest any dport eq 514ip access-list weak-block deny udp src any sport any dest any dport eq 514ip access-list weak-block deny tcp src any sport any dest any dport eq 515ip access-list weak-block deny udp src any sport any dest any dport eq 515ip access-list weak-block deny tcp src any sport any dest any dport eq 517ip access-list weak-block deny udp src any sport any dest any dport eq 517ip access-list weak-block deny tcp src any sport any dest any dport eq 518ip access-list weak-block deny udp src any sport any dest any dport eq 518ip access-list weak-block deny tcp src any sport any dest any dport eq 520ip access-list weak-block deny udp src any sport any dest any dport eq 520ip access-list weak-block deny tcp src any sport any dest any dport eq 540ip access-list weak-block deny udp src any sport any dest any dport eq 540ip access-list weak-block deny tcp src any sport any dest any dport eq 1025ip access-list weak-block deny udp src any sport any dest any dport eq 1025ip access-list weak-block deny tcp src any sport any dest any dport eq 2000ip access-list weak-block deny udp src any sport any dest any dport eq 2000ip access-list weak-block deny tcp src any sport any dest any dport eq 2049ip access-list weak-block deny udp src any sport any dest any dport eq 2049ip access-list weak-block deny tcp src any sport any dest any dport eq 2766ip access-list weak-block deny udp src any sport any dest any dport eq 2766ip access-list weak-block deny tcp src any sport any dest any dport range 6000 6063ip access-list weak-block deny udp src any sport any dest any dport range 6000 6063ip access-list weak-block deny tcp src any sport any dest any dport eq 12345ip access-list weak-block deny udp src any sport any dest any dport eq 12345ip access-list specialuse deny ip src 0.0.0.0/8 dest anyip access-list specialuse deny ip src 10.0.0.0/8 dest anyip access-list specialuse deny ip src 172.16.0.0/12 dest anyip access-list specialuse deny ip src 192.168.0.0/16 dest anyip access-list specialuse deny ip src 127.0.0.0/8 dest anyip access-list specialuse deny ip src 169.254.0.0/16 dest anyip access-list specialuse deny ip src 192.0.2.0/24 dest anyip access-list specialuse deny ip src 224.0.0.0/3 dest anyip access-list specialuse deny ip src 198.18.0.0/15 dest anyip access-list mynetwork permit ip src 192.168.0.0/24 dest anyip access-list all-pass permit ip src any dest anyip filter forced-reassemblyinterface FastEthernet0/1.0ip filter all-pass 65000 inip filter all-pass 65000 outip filter mynetwork 50 outip filter strict-block 1 inip filter strict-block 1 outip filter weak-block 100 inip filter weak-block 100 outip filter specialuse 101 inip filter specialuse 101 out再起動
# スタートアップコンフィグのロード、DRAMメモリのクリアrestart
# プログラムのロード、スタートアップコンフィグのロード、DRAMメモリのクリアreload不思議な所 ip filterでdenyしているにもかかわらずnatテーブルができてしまう。もしかして、filterを通過しているのかと思ったけどちゃんとパケットは落とされている。謎。
いけてないところ
WAN側のIFはISPからDHCPでIPが振られているのだが、そのリース期限は6時間。
6時間毎にIFがIPをリリースし、一度downしてしまう。よって、NAPTテーブルも全部クリアされてしまう。再度割り当てられるIPは同じIPなので、とても不便。
すばらしい安定性
1ヶ月運用しているが、一度も再起動しないで稼働している。
変更履歴
2010/2/23 DHCPのフィルタ削除。
以下、削除部分。
ip access-list weak-block deny tcp src any sport any dest any dport eq 67ip access-list weak-block deny udp src any sport any dest any dport eq 67ip access-list weak-block deny tcp src any sport any dest any dport eq 68ip access-list weak-block deny udp src any sport any dest any dport eq 682018/9/21 追記
この記事、結構アクセスがありますが、今となっては、IX2015はスペック的に見劣りするのでRTX1200を使うのが良いです。
2022/2/8 追記
一応、ほそぼそとNECも後継機を作っているのでNECが好きならばこちらを。YAMAHAのほうが個人的にはおすすめです。
NEC IX2015設定要点と設定サンプル
https://blog.teraren.com/posts/ix2015-setting/