Geeks Documentation

### IP FILTERING & MASQUERADING RULES ###
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p udp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p udp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p udp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 445 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 445 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 445 -p udp

######################################################################
# #
# Welcome to ZTE Full Service Access Platform #
# #
# Press Return to get started #
# #
# Copyright 2005-2009 , ZTE Co.,Ltd. #
# #
######################################################################
Login:


Login:admin
Password:

ZTE-DARA-STO-SHDSL>enable
Please input password:

ZTE-DARA-STO-SHDSL# show run
add-card SSTEB 1
end
configure
add-vlan 31,771
ip host 10.62.5.101 255.255.0.0
ip subnet 172.20.xxx.x 255.255.255.128 31 name "ZTESUBNET"
ip modem 192.168.2.2 255.255.255.0
system hostname ZTE-
end
configure interface shdsl 1/1
pvid 771 pvc 1
end
configure interface shdsl 1/2
pvid 771 pvc 1
end
configure interface shdsl 1/3
pvid 771 pvc 1
end
configure interface shdsl 1/4
pvid 771 pvc 1
end
configure interface shdsl 1/5
pvid 771 pvc 1
end
configure interface shdsl 1/6
pvid 771 pvc 1
end
configure interface shdsl 1/7
pvid 771 pvc 1
end
configure interface shdsl 1/8
pvid 771 pvc 1
end
configure interface shdsl 1/9
pvid 771 pvc 1
end
configure interface shdsl 1/10
pvid 771 pvc 1
end
configure interface shdsl 1/11
pvid 771 pvc 1
end
configure interface shdsl 1/12
pvid 771 pvc 1
end
configure interface shdsl 1/13
pvid 771 pvc 1
end
configure interface shdsl 1/14
pvid 771 pvc 1
end
configure interface shdsl 1/15
pvid 771 pvc 1
end
configure interface shdsl 1/16
pvid 771 pvc 1
end
configure interface shdsl 1/17
pvid 771 pvc 1
end
configure interface shdsl 1/18
pvid 771 pvc 1
end
configure interface shdsl 1/19
pvid 771 pvc 1
end
configure interface shdsl 1/20
pvid 771 pvc 1
end
configure interface shdsl 1/21
pvid 771 pvc 1
end
configure interface shdsl 1/22
pvid 771 pvc 1
end
configure interface shdsl 1/23
pvid 771 pvc 1
end
configure interface shdsl 1/24
pvid 771 pvc 1
end
configure
vlan 771 1/1-24 untag pvc 1
vlan 31 5/1 tag
vlan 771 5/1 tag
uplink-mode cascade master-port 5/1

Building configuration...
##
## sysinfo(System Information)
## Model Name : VERTEX 1501
## Main Memory Size : 16 MB
## Flash Memory Size : 4 MB(INTEL IN28F320J5)
## S/W Compatibility : 1
## H/W Revision : DS-MA-02C-B0
## VROS Version : 5.05
##

### HOSTNAME ###
hostname 'router'
hostname > /etc/HOSTNAME

### MODULES ###

### VLAN ###

### ATM ###

### IP TUNNEL ###

### INTERFACE hdlc1 ###
echo encapsulation ppp > /proc/hdlc1
ip addr add 172.20.118.102 peer 172.20.118.101/30 brd 172.20.118.103 scope global dev hdlc1
ip link set up dev hdlc1

### INTERFACE eth0 ###
ip addr add 192.118.10.254/24 brd 192.118.10.255 scope global dev eth0
ip link set up dev eth0

### LOAD SHARE ###

### SYSTEM CONFIGURATION ###

### IP ROUTING TABLE ###
ip route add 10.118.22.0/27 dev hdlc1 proto static scope global
ip route add 172.16.2.0/24 dev hdlc1 proto static scope global
ip route add 192.168.32.0/24 dev hdlc1 proto static scope global
ip route add 172.16.1.0/24 dev hdlc1 proto static scope global
ip route add 192.168.31.0/24 dev hdlc1 proto static scope global
ip route add 10.118.21.0/24 dev hdlc1 proto static scope global
ip route add 10.118.210.0/24 dev hdlc1 proto static scope global
ip route add default dev hdlc1 proto static scope global

### IP FILTERING & MASQUERADING RULES ###
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 137 -d 0.0.0.0/0 137 -p udp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p udp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 138 -d 0.0.0.0/0 138 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p tcp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p icmp
ipchains -A input -j DENY -s 0.0.0.0/0 139 -d 0.0.0.0/0 139 -p udp

# apr/18/2009 21:51:30 by RouterOS 2.9.27
# software id = QXLH-HWT
#
/ interface ethernet
set Local name="Local" mtu=1500 mac-address=00:1B:11:F1:42:2A arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=1Gbps comment="Link Lan" disabled=no
set Modem1 name="Modem1" mtu=1500 mac-address=00:13:F7:39:E0:ED arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=1Gbps comment="Link Ke Modem 1" disabled=no
set Modem2 name="Modem2" mtu=1500 mac-address=00:20:18:D6:A2:FD arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="Link Ke Modem 2" disabled=no
set Proxy name="Proxy" mtu=1500 mac-address=00:D0:B7:BF:B3:AF arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless security-profiles
set default name="default" mode=none authentication-types="" \
unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key="" eap-methods=passthrough tls-mode=no-certificates \
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none \
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none \
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receive-errors=no \
memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \
streaming-server=0.0.0.0 streaming-max-rate=0
/ interface bridge port
add interface=Local priority=0x80 path-cost=10 edge=auto point-to-point=auto \
external-fdb=auto comment="" disabled=no
add interface=Modem1 priority=0x80 path-cost=10 edge=auto point-to-point=auto \
external-fdb=auto comment="" disabled=no
/ interface bridge filter
add chain=input in-bridge=(unknown) action=accept comment="" disabled=no
add chain=forward action=accept comment="" disabled=no
add chain=output action=accept comment="" disabled=no
/ interface bridge broute
add chain=brouting action=accept comment="" disabled=no
/ interface bridge nat
add chain=srcnat out-interface=Modem1 action=accept comment="" disabled=no
add chain=srcnat out-interface=Local action=accept comment="" disabled=no
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption
/ interface pppoe-client
add name="Speedy1" max-mtu=1480 max-mru=1480 interface=Modem1 \
user="1114xxxxxx@telkom.net" password="xxxxx" profile=default \
service-name="" ac-name="" add-default-route=no dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
add name="Speedy2" max-mtu=1480 max-mru=1480 interface=Modem2 \
user="1114xxxxxx@telkom.net" password="xxxxxx" profile=default \
service-name="" ac-name="" add-default-route=no dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
/ ip pool
add name="hikari" ranges=192.168.0.1-192.168.0.13
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id="" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=yes account-local-traffic=yes threshold=256
/ ip accounting web-access
set accessible-via-web=yes address=192.168.0.30/32
/ ip service
set telnet port=223 address=0.0.0.0/0 disabled=no
set ftp port=221 address=0.0.0.0/0 disabled=no
set www port=1981 address=0.0.0.0/0 disabled=no
set ssh port=222 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=yes allow-disable-external-interface=no show-dummy-rule=yes
/ ip upnp interfaces
add interface=Local type=internal disabled=no
add interface=Modem1 type=internal disabled=no
add type=internal disabled=no
add interface=Speedy1 type=internal disabled=no
add type=external disabled=no
/ ip arp
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=85.255.112.195 secondary-dns=203.130.193.74 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
/ ip traffic-flow
set enabled=yes interfaces=Local cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
/ ip address
add address=192.168.0.14/28 network=192.168.0.0 broadcast=192.168.0.15 \
interface=Local comment="IP LAN ROUTER" disabled=no
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 \
interface=Modem1 comment="IP LAN KE MODEM1" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 \
interface=Modem2 comment="IP LAN KE MODEM2" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 \
interface=Proxy comment="IP LAN KE PROXY" disabled=no
/ ip proxy
set enabled=yes port=8080 parent-proxy=0.0.0.0:1 \
maximal-client-connecions=1000 maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add src-address=0.0.0.0 method="" dst-host="" dst-address=0.0.0.0 \
path=/www.duniasex.com action=allow comment="" disabled=no
/ ip neighbor discovery
set Local discover=yes
set Modem1 discover=yes
set Speedy1 discover=no
set Modem2 discover=yes
set Speedy2 discover=no
set Proxy discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=125.165.156.1 distance=1 scope=255 \
target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=125.162.88.1 distance=1 scope=255 \
target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=125.165.156.1,125.162.88.1 distance=1 \
scope=255 target-scope=10 comment="" disabled=no
/ ip firewall mangle
add chain=prerouting nth=5,1,0 action=mark-connection \
new-connection-mark=Speedy-1 passthrough=yes comment="LB" disabled=no
add chain=prerouting in-interface=Local connection-mark=Speedy-1 \
action=mark-routing new-routing-mark=Speedy-1 passthrough=no comment="" \
disabled=no
add chain=prerouting nth=5,2,0 action=mark-connection \
new-connection-mark=Speedy-2 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=Local connection-mark=Speedy-2 \
action=mark-routing new-routing-mark=Speedy-2 passthrough=no comment="" \
disabled=no
add chain=prerouting src-address=192.168.0.0/27 protocol=icmp \
action=mark-connection new-connection-mark=ICMP-CM passthrough=yes \
comment="ToS" disabled=yes
add chain=prerouting connection-mark=ICMP-CM action=mark-packet \
new-packet-mark=ICMP-PM passthrough=yes comment="" disabled=yes
add chain=prerouting packet-mark=ICMP-PM action=change-tos new-tos=min-delay \
comment="" disabled=yes
add chain=prerouting src-address=192.168.0.0/27 protocol=tcp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=yes
add chain=prerouting src-address=192.168.0.0/27 protocol=udp dst-port=53 \
action=mark-connection new-connection-mark=DNS-CM passthrough=yes \
comment="" disabled=yes
add chain=prerouting connection-mark=DNS-CM action=mark-packet \
new-packet-mark=DNS-PM passthrough=yes comment="" disabled=yes
add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay \
comment="" disabled=yes
add chain=forward src-address-list=Lan dst-address-list=nice \
action=mark-connection new-connection-mark=basic_conn_lokal \
passthrough=yes comment="BASIC LOKAL" disabled=yes
add chain=forward connection-mark=basic_conn_lokal action=mark-packet \
new-packet-mark=basic_packet_lokal passthrough=no comment="" disabled=yes
add chain=forward src-address-list=Lan dst-address-list=!nice \
action=mark-connection new-connection-mark=basic_conn_intl passthrough=yes \
comment="BASIC INTL" disabled=yes
add chain=forward connection-mark=basic_conn_intl action=mark-packet \
new-packet-mark=basic_packet_intl passthrough=no comment="" disabled=yes
add chain=prerouting protocol=tcp dst-port=1-1000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="Routing Per Port \
Net" disabled=no
add chain=prerouting protocol=udp dst-port=1-1000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=3128 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=5050-5060 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=6660-7000 action=mark-connection \
new-connection-mark=spnet_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=spnet_conn action=mark-packet \
new-packet-mark=spnet passthrough=no comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="Routing Per Port \
games" disabled=no
add chain=prerouting protocol=udp dst-port=1001-3127 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=3129-5049 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=5061-6659 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=7001-8079 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=8081-65535 action=mark-connection \
new-connection-mark=spgames_conn passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=spgames_conn action=mark-packet \
new-packet-mark=spgames passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Speedy2 action=masquerade comment="Nat PUBLIC \
Tidak Pisah Trafik" disabled=no
add chain=srcnat out-interface=Speedy1 action=masquerade comment="" \
disabled=no
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=3128 \
comment="Proxy MIx" disabled=yes
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=3128 \
comment="" disabled=yes
add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=3128 \
comment="" disabled=yes
add chain=dstnat protocol=tcp dst-port=80 action=dst-nat \
to-addresses=192.168.1.3 to-ports=8080 comment="Proxy Linux" disabled=yes
add chain=dstnat protocol=tcp dst-port=8080 action=dst-nat \
to-addresses=192.168.1.3 to-ports=8080 comment="" disabled=yes
add chain=dstnat protocol=tcp dst-port=3128 action=dst-nat \
to-addresses=192.168.1.3 to-ports=8080 comment="" disabled=yes
add chain=dstnat in-interface=Local protocol=tcp dst-port=80 \
src-address-list=Lan action=dst-nat to-addresses=192.168.1.3 to-ports=8080 \
comment="Nat LB Proxy Ekesternal" disabled=no
add chain=dstnat in-interface=Local protocol=tcp dst-port=8080 \
src-address-list=Lan dst-address-list=!servergames action=dst-nat \
to-addresses=192.168.1.3 to-ports=8080 comment="" disabled=yes
add chain=dstnat in-interface=Local protocol=tcp dst-port=3128 \
src-address-list=Lan action=dst-nat to-addresses=192.168.1.3 to-ports=8080 \
comment="" disabled=no
add chain=srcnat out-interface=Speedy1 packet-mark=!spnet \
connection-mark=!spnet_conn routing-mark=!Speedy-1 \
src-address-list=!servergames action=src-nat to-addresses=125.162.88.188 \
to-ports=0-65535 comment="Nat Pisah Trafik" disabled=yes
add chain=srcnat out-interface=Speedy2 packet-mark=!spgames \
connection-mark=!spgames_conn routing-mark=!Speedy-2 \
src-address-list=!servergames action=src-nat to-addresses=125.165.156.85 \
to-ports=0-65535 comment="" disabled=yes
add chain=srcnat src-address=192.168.0.0/27 action=masquerade comment="Nat \
PUBLIC " disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
/ ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop comment="Block Bogus IP \
Address" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
action=drop comment="Drop SSH brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="Port \
Scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="" \
disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list \
address-list="port scanners" address-list-timeout=2w comment="" \
disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg \
action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w comment="" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="" \
disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
action=drop comment="Filter FTP to Box" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="Separate \
Protocol into Chains" disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="Blocking UDP \
Packet" disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="" disabled=no
add chain=tcp protocol=udp dst-port=445 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="" disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="Bloking TCP \
Packet" disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=119 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="" \
disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept \
comment="Limited Ping Flood" disabled=no
add chain=icmp protocol=icmp icmp-options=3:3 limit=5,5 action=accept \
comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=3:4 limit=5,5 action=accept \
comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept \
comment="" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept \
comment="" disabled=no
add chain=icmp protocol=icmp action=drop comment="" disabled=no
add chain=input dst-address-type=broadcast action=accept comment="Allow \
Broadcast Traffic" disabled=no
add chain=input connection-state=established action=accept comment="Connection \
State" disabled=no
add chain=input connection-state=related action=accept comment="" disabled=no
add chain=input connection-state=invalid action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
action=drop comment="Drop SSH brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list \
address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list \
address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage1 action=add-src-to-address-list \
address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m comment="" disabled=no
/ ip firewall address-list
add list=knock address=82.196.5.255 comment="" disabled=no
add list=knock address=85.255.118.158 comment="" disabled=no
add list=knock address=61.19.247.96 comment="" disabled=no
add list=knock address=67.43.13.127 comment="" disabled=no
add list=knock address=64.28.177.139 comment="" disabled=no
add list=knock address=213.8.145.134 comment="" disabled=no
add list=knock address=213.159.231.218 comment="" disabled=no
add list=knock address=202.67.231.160 comment="" disabled=no
add list=knock address=195.38.160.50 comment="" disabled=no
add list=knock address=195.177.72.3 comment="" disabled=no
add list=knock address=81.176.68.175 comment="" disabled=no
add list=knock address=211.239.118.144 comment="" disabled=no
add list=knock address=82.98.86.177 comment="" disabled=no
add list=knock address=74.86.196.213 comment="" disabled=no
add list=knock address=66.155.143.187 comment="" disabled=no
add list=knock address=64.123.43.80 comment="" disabled=no
add list=servergames address=202.93.20.201 comment="Rf" disabled=no
add list=servergames address=202.150.34.6 comment="Dota" disabled=no
add list=servergames address=203.77.212.20 comment="" disabled=no
add list=servergames address=202.89.208.61 comment="" disabled=no
add list=servergames address=202.81.48.27 comment="" disabled=no
add list=servergames address=202.69.106.186 comment="" disabled=no
add list=servergames address=203.146.140.46 comment="" disabled=no
add list=servergames address=202.43.162.171 comment="" disabled=no
add list=servergames address=202.138.231.226 comment="" disabled=no
add list=servergames address=202.146.225.64 comment="" disabled=no
add list=servergames address=122.144.2.38 comment="" disabled=no
add list=servergames address=122.144.2.42 comment="" disabled=no
add list=Blok-ip address=66.45.254.244 comment="Blokip" disabled=no
add list=Blok-ip address=66.45.254.245 comment="" disabled=no
add list=Blok-ip address=69.50.129.124 comment="" disabled=no
add list=Blok-ip address=69.90.74.20 comment="" disabled=no
add list=Blok-ip address=193.239.248.48 comment="" disabled=no
add list=nice address=167.205.0.0/16 comment="Nice" disabled=no
add list=nice address=222.124.0.0/16 comment="" disabled=no
add list=nice address=61.94.0.0/16 comment="" disabled=no
add list=nice address=125.162.0.0/16 comment="" disabled=no
add list=nice address=125.163.0.0/16 comment="" disabled=no
add list=nice address=125.160.0.0/16 comment="" disabled=no
add list=nice address=125.161.0.0/16 comment="" disabled=no
add list=nice address=125.164.0.0/16 comment="" disabled=no
add list=nice address=61.5.0.0/17 comment="" disabled=no
add list=nice address=202.158.0.0/17 comment="" disabled=no
add list=nice address=118.98.128.0/17 comment="" disabled=no
add list=nice address=125.208.128.0/18 comment="" disabled=no
add list=nice address=210.210.128.0/18 comment="" disabled=no
add list=nice address=152.118.128.0/18 comment="" disabled=no
add list=nice address=152.118.192.0/18 comment="" disabled=no
add list=nice address=152.118.0.0/18 comment="" disabled=no
add list=nice address=152.118.64.0/18 comment="" disabled=no
add list=nice address=117.102.64.0/18 comment="" disabled=no
add list=nice address=61.14.0.0/18 comment="" disabled=no
add list=nice address=206.182.192.0/18 comment="" disabled=no
add list=nice address=202.152.0.0/18 comment="" disabled=no
add list=nice address=221.132.192.0/18 comment="" disabled=no
add list=nice address=124.153.0.0/18 comment="" disabled=no
add list=nice address=207.209.192.0/18 comment="" disabled=no
add list=nice address=203.130.192.0/18 comment="" disabled=no
add list=nice address=202.47.192.0/19 comment="" disabled=no
add list=nice address=202.51.192.0/19 comment="" disabled=no
add list=nice address=202.173.64.0/19 comment="" disabled=no
add list=nice address=202.171.0.0/19 comment="" disabled=no
add list=nice address=202.169.32.0/19 comment="" disabled=no
add list=nice address=202.149.128.0/19 comment="" disabled=no
add list=nice address=202.147.224.0/19 comment="" disabled=no
add list=nice address=202.146.224.0/19 comment="" disabled=no
add list=nice address=202.159.64.0/19 comment="" disabled=no
add list=nice address=202.152.224.0/19 comment="" disabled=no
add list=nice address=203.123.224.0/19 comment="" disabled=no
add list=nice address=118.82.0.0/19 comment="" disabled=no
add list=nice address=117.102.224.0/19 comment="" disabled=no
add list=nice address=117.104.192.0/19 comment="" disabled=no
add list=nice address=124.195.0.0/19 comment="" disabled=no
add list=nice address=209.93.224.0/19 comment="" disabled=no
add list=nice address=61.247.0.0/19 comment="" disabled=no
add list=nice address=61.247.32.0/19 comment="" disabled=no
add list=nice address=118.136.0.0/19 comment="" disabled=no
add list=nice address=118.136.32.0/19 comment="" disabled=no
add list=nice address=118.136.64.0/19 comment="" disabled=no
add list=nice address=118.136.96.0/19 comment="" disabled=no
add list=nice address=118.136.128.0/19 comment="" disabled=no
add list=nice address=118.136.160.0/19 comment="" disabled=no
add list=nice address=118.136.192.0/19 comment="" disabled=no
add list=nice address=118.136.224.0/19 comment="" disabled=no
add list=nice address=118.137.0.0/19 comment="" disabled=no
add list=nice address=118.137.32.0/19 comment="" disabled=no
add list=nice address=118.137.64.0/19 comment="" disabled=no
add list=nice address=118.137.96.0/19 comment="" disabled=no
add list=nice address=118.137.128.0/19 comment="" disabled=no
add list=nice address=118.137.160.0/19 comment="" disabled=no
add list=nice address=118.137.192.0/19 comment="" disabled=no
add list=nice address=118.137.224.0/19 comment="" disabled=no
add list=nice address=121.52.64.0/19 comment="" disabled=no
add list=nice address=124.81.0.0/19 comment="" disabled=no
add list=nice address=124.81.32.0/19 comment="" disabled=no
add list=nice address=124.81.64.0/19 comment="" disabled=no
add list=nice address=124.81.96.0/19 comment="" disabled=no
add list=nice address=124.81.128.0/19 comment="" disabled=no
add list=nice address=124.81.192.0/19 comment="" disabled=no
add list=nice address=124.81.224.0/19 comment="" disabled=no
add list=nice address=202.10.32.0/19 comment="" disabled=no
add list=nice address=202.53.224.0/19 comment="" disabled=no
add list=nice address=202.57.0.0/19 comment="" disabled=no
add list=nice address=202.73.96.0/19 comment="" disabled=no
add list=nice address=202.77.96.0/19 comment="" disabled=no
add list=nice address=202.81.32.0/19 comment="" disabled=no
add list=nice address=202.137.0.0/19 comment="" disabled=no
add list=nice address=202.138.224.0/19 comment="" disabled=no
add list=nice address=202.148.0.0/19 comment="" disabled=no
add list=nice address=202.150.64.0/19 comment="" disabled=no
add list=nice address=202.153.128.0/19 comment="" disabled=no
add list=nice address=202.154.0.0/19 comment="" disabled=no
add list=nice address=202.154.32.0/19 comment="" disabled=no
add list=nice address=202.155.0.0/19 comment="" disabled=no
add list=nice address=202.155.32.0/19 comment="" disabled=no
add list=nice address=202.155.96.0/19 comment="" disabled=no
add list=nice address=202.155.128.0/19 comment="" disabled=no
add list=nice address=202.159.0.0/19 comment="" disabled=no
add list=nice address=202.159.32.0/19 comment="" disabled=no
add list=nice address=202.162.192.0/19 comment="" disabled=no
add list=nice address=203.128.64.0/19 comment="" disabled=no
add list=nice address=219.83.0.0/19 comment="" disabled=no
add list=nice address=219.83.32.0/19 comment="" disabled=no
add list=nice address=219.83.64.0/19 comment="" disabled=no
add list=nice address=60.253.112.0/20 comment="" disabled=no
add list=nice address=61.8.64.0/20 comment="" disabled=no
add list=nice address=61.45.224.0/20 comment="" disabled=no
add list=nice address=116.68.160.0/20 comment="" disabled=no
add list=nice address=117.20.48.0/20 comment="" disabled=no
add list=nice address=119.2.64.0/20 comment="" disabled=no
add list=nice address=119.82.224.0/20 comment="" disabled=no
add list=nice address=119.110.64.0/20 comment="" disabled=no
add list=nice address=121.50.128.0/20 comment="" disabled=no
add list=nice address=122.200.0.0/20 comment="" disabled=no
add list=nice address=124.81.176.0/20 comment="" disabled=no
add list=nice address=202.3.208.0/20 comment="" disabled=no
add list=nice address=202.6.208.0/20 comment="" disabled=no
add list=nice address=202.6.224.0/20 comment="" disabled=no
add list=nice address=202.43.176.0/20 comment="" disabled=no
add list=nice address=202.46.64.0/20 comment="" disabled=no
add list=nice address=202.46.144.0/20 comment="" disabled=no
add list=nice address=202.47.64.0/20 comment="" disabled=no
add list=nice address=202.51.96.0/20 comment="" disabled=no
add list=nice address=202.51.224.0/20 comment="" disabled=no
add list=nice address=202.58.64.0/20 comment="" disabled=no
add list=nice address=202.58.160.0/20 comment="" disabled=no
add list=nice address=202.59.160.0/20 comment="" disabled=no
add list=nice address=202.65.112.0/20 comment="" disabled=no
add list=nice address=202.67.32.0/20 comment="" disabled=no
add list=nice address=202.69.96.0/20 comment="" disabled=no
add list=nice address=202.72.208.0/20 comment="" disabled=no
add list=nice address=202.73.224.0/20 comment="" disabled=no
add list=nice address=202.77.64.0/20 comment="" disabled=no
add list=nice address=202.80.112.0/20 comment="" disabled=no
add list=nice address=202.80.208.0/20 comment="" disabled=no
add list=nice address=202.87.176.0/20 comment="" disabled=no
add list=nice address=202.93.16.0/20 comment="" disabled=no
add list=nice address=202.93.32.0/20 comment="" disabled=no
add list=nice address=202.93.128.0/20 comment="" disabled=no
add list=nice address=202.93.224.0/20 comment="" disabled=no
add list=nice address=202.95.128.0/20 comment="" disabled=no
add list=nice address=202.123.224.0/20 comment="" disabled=no
add list=nice address=202.127.96.0/20 comment="" disabled=no
add list=nice address=202.133.80.0/20 comment="" disabled=no
add list=nice address=202.143.32.0/20 comment="" disabled=no
add list=nice address=202.145.0.0/20 comment="" disabled=no
add list=nice address=202.147.192.0/20 comment="" disabled=no
add list=nice address=202.152.160.0/20 comment="" disabled=no
add list=nice address=202.152.192.0/20 comment="" disabled=no
add list=nice address=202.153.16.0/20 comment="" disabled=no
add list=nice address=202.153.240.0/20 comment="" disabled=no
add list=nice address=202.155.64.0/20 comment="" disabled=no
add list=nice address=202.158.128.0/20 comment="" disabled=no
add list=nice address=202.159.112.0/20 comment="" disabled=no
add list=nice address=202.165.32.0/20 comment="" disabled=no
add list=nice address=203.78.112.0/20 comment="" disabled=no
add list=nice address=203.83.32.0/20 comment="" disabled=no
add list=nice address=203.89.16.0/20 comment="" disabled=no
add list=nice address=203.153.96.0/20 comment="" disabled=no
add list=nice address=203.161.16.0/20 comment="" disabled=no
add list=nice address=203.166.192.0/20 comment="" disabled=no
add list=nice address=203.201.160.0/20 comment="" disabled=no
add list=nice address=207.83.112.0/20 comment="" disabled=no
add list=nice address=210.57.208.0/20 comment="" disabled=no
add list=nice address=210.79.208.0/20 comment="" disabled=no
add list=nice address=219.83.96.0/20 comment="" disabled=no
add list=nice address=220.157.96.0/20 comment="" disabled=no
add list=nice address=58.65.240.0/21 comment="" disabled=no
add list=nice address=60.253.96.0/21 comment="" disabled=no
add list=nice address=116.0.0.0/21 comment="" disabled=no
add list=nice address=116.12.40.0/21 comment="" disabled=no
add list=nice address=116.50.24.0/21 comment="" disabled=no
add list=nice address=116.68.224.0/21 comment="" disabled=no
add list=nice address=116.68.248.0/21 comment="" disabled=no
add list=nice address=116.90.208.0/21 comment="" disabled=no
add list=nice address=116.197.128.0/21 comment="" disabled=no
add list=nice address=116.199.200.0/21 comment="" disabled=no
add list=nice address=116.254.96.0/21 comment="" disabled=no
add list=nice address=117.74.120.0/21 comment="" disabled=no
add list=nice address=117.102.160.0/21 comment="" disabled=no
add list=nice address=117.103.8.0/21 comment="" disabled=no
add list=nice address=117.103.32.0/21 comment="" disabled=no
add list=nice address=117.103.48.0/21 comment="" disabled=no
add list=nice address=117.103.168.0/21 comment="" disabled=no
add list=nice address=119.2.40.0/21 comment="" disabled=no
add list=nice address=119.10.176.0/21 comment="" disabled=no
add list=nice address=119.82.240.0/21 comment="" disabled=no
add list=nice address=121.52.48.0/21 comment="" disabled=no
add list=nice address=121.58.184.0/21 comment="" disabled=no
add list=nice address=122.49.224.0/21 comment="" disabled=no
add list=nice address=122.128.16.0/21 comment="" disabled=no
add list=nice address=122.129.192.0/21 comment="" disabled=no
add list=nice address=122.144.0.0/21 comment="" disabled=no
add list=nice address=122.200.48.0/21 comment="" disabled=no
add list=nice address=122.200.144.0/21 comment="" disabled=no
add list=nice address=124.66.160.0/21 comment="" disabled=no
add list=nice address=124.81.168.0/21 comment="" disabled=no
add list=nice address=202.43.160.0/21 comment="" disabled=no
add list=nice address=202.43.248.0/21 comment="" disabled=no
add list=nice address=202.46.24.0/21 comment="" disabled=no
add list=nice address=202.46.80.0/21 comment="" disabled=no
add list=nice address=202.51.16.0/21 comment="" disabled=no
add list=nice address=202.58.176.0/21 comment="" disabled=no
add list=nice address=202.59.200.0/21 comment="" disabled=no
add list=nice address=202.62.16.0/21 comment="" disabled=no
add list=nice address=202.67.8.0/21 comment="" disabled=no
add list=nice address=202.70.48.0/21 comment="" disabled=no
add list=nice address=202.72.192.0/21 comment="" disabled=no
add list=nice address=202.74.72.0/21 comment="" disabled=no
add list=nice address=202.75.16.0/21 comment="" disabled=no
add list=nice address=202.75.104.0/21 comment="" disabled=no
add list=nice address=202.87.248.0/21 comment="" disabled=no
add list=nice address=202.89.208.0/21 comment="" disabled=no
add list=nice address=202.91.8.0/21 comment="" disabled=no
add list=nice address=202.91.24.0/21 comment="" disabled=no
add list=nice address=202.93.240.0/21 comment="" disabled=no
add list=nice address=202.95.152.0/21 comment="" disabled=no
add list=nice address=202.122.8.0/21 comment="" disabled=no
add list=nice address=202.129.184.0/21 comment="" disabled=no
add list=nice address=202.133.0.0/21 comment="" disabled=no
add list=nice address=202.134.0.0/21 comment="" disabled=no
add list=nice address=202.149.64.0/21 comment="" disabled=no
add list=nice address=202.149.80.0/21 comment="" disabled=no
add list=nice address=202.150.32.0/21 comment="" disabled=no
add list=nice address=202.150.128.0/21 comment="" disabled=no
add list=nice address=202.150.224.0/21 comment="" disabled=no
add list=nice address=202.150.240.0/21 comment="" disabled=no
add list=nice address=202.153.224.0/21 comment="" disabled=no
add list=nice address=202.155.80.0/21 comment="" disabled=no
add list=nice address=202.159.96.0/21 comment="" disabled=no
add list=nice address=202.162.32.0/21 comment="" disabled=no
add list=nice address=202.169.224.0/21 comment="" disabled=no
add list=nice address=202.180.0.0/21 comment="" disabled=no
add list=nice address=202.180.48.0/21 comment="" disabled=no
add list=nice address=202.182.56.0/21 comment="" disabled=no
add list=nice address=202.182.160.0/21 comment="" disabled=no
add list=nice address=203.77.224.0/21 comment="" disabled=no
add list=nice address=203.80.8.0/21 comment="" disabled=no
add list=nice address=203.84.136.0/21 comment="" disabled=no
add list=nice address=203.84.152.0/21 comment="" disabled=no
add list=nice address=203.134.232.0/21 comment="" disabled=no
add list=nice address=203.135.176.0/21 comment="" disabled=no
add list=nice address=203.142.64.0/21 comment="" disabled=no
add list=nice address=203.142.80.0/21 comment="" disabled=no
add list=nice address=203.153.24.0/21 comment="" disabled=no
add list=nice address=203.153.112.0/21 comment="" disabled=no
add list=nice address=203.174.8.0/21 comment="" disabled=no
add list=nice address=203.176.176.0/21 comment="" disabled=no
add list=nice address=203.190.48.0/21 comment="" disabled=no
add list=nice address=203.190.184.0/21 comment="" disabled=no
add list=nice address=203.190.240.0/21 comment="" disabled=no
add list=nice address=210.211.16.0/21 comment="" disabled=no
add list=nice address=219.83.112.0/21 comment="" disabled=no
add list=nice address=222.229.80.0/21 comment="" disabled=no
add list=nice address=32.234.172.0/22 comment="" disabled=no
add list=nice address=58.147.184.0/22 comment="" disabled=no
add list=nice address=60.253.104.0/22 comment="" disabled=no
add list=nice address=116.66.200.0/22 comment="" disabled=no
add list=nice address=116.90.176.0/22 comment="" disabled=no
add list=nice address=117.103.0.0/22 comment="" disabled=no
add list=nice address=117.103.56.0/22 comment="" disabled=no
add list=nice address=121.100.20.0/22 comment="" disabled=no
add list=nice address=124.81.164.0/22 comment="" disabled=no
add list=nice address=124.158.132.0/22 comment="" disabled=no
add list=nice address=124.195.40.0/22 comment="" disabled=no
add list=nice address=202.2.92.0/22 comment="" disabled=no
add list=nice address=202.46.0.0/22 comment="" disabled=no
add list=nice address=202.46.88.0/22 comment="" disabled=no
add list=nice address=202.51.28.0/22 comment="" disabled=no
add list=nice address=202.51.252.0/22 comment="" disabled=no
add list=nice address=202.52.12.0/22 comment="" disabled=no
add list=nice address=202.55.164.0/22 comment="" disabled=no
add list=nice address=202.55.168.0/22 comment="" disabled=no
add list=nice address=202.59.196.0/22 comment="" disabled=no
add list=nice address=202.62.8.0/22 comment="" disabled=no
add list=nice address=202.62.24.0/22 comment="" disabled=no
add list=nice address=202.70.60.0/22 comment="" disabled=no
add list=nice address=202.72.200.0/22 comment="" disabled=no
add list=nice address=202.75.24.0/22 comment="" disabled=no
add list=nice address=202.75.96.0/22 comment="" disabled=no
add list=nice address=202.78.196.0/22 comment="" disabled=no
add list=nice address=202.81.4.0/22 comment="" disabled=no
add list=nice address=202.93.112.0/22 comment="" disabled=no
add list=nice address=202.95.148.0/22 comment="" disabled=no
add list=nice address=202.146.0.0/22 comment="" disabled=no
add list=nice address=202.146.128.0/22 comment="" disabled=no
add list=nice address=202.146.176.0/22 comment="" disabled=no
add list=nice address=202.149.72.0/22 comment="" disabled=no
add list=nice address=202.149.88.0/22 comment="" disabled=no
add list=nice address=202.150.232.0/22 comment="" disabled=no
add list=nice address=202.153.236.0/22 comment="" disabled=no
add list=nice address=202.154.184.0/22 comment="" disabled=no
add list=nice address=202.155.92.0/22 comment="" disabled=no
add list=nice address=202.159.108.0/22 comment="" disabled=no
add list=nice address=202.162.40.0/22 comment="" disabled=no
add list=nice address=202.173.16.0/22 comment="" disabled=no
add list=nice address=202.180.16.0/22 comment="" disabled=no
add list=nice address=202.182.48.0/22 comment="" disabled=no
add list=nice address=202.182.168.0/22 comment="" disabled=no
add list=nice address=202.182.188.0/22 comment="" disabled=no
add list=nice address=203.77.208.0/22 comment="" disabled=no
add list=nice address=203.77.236.0/22 comment="" disabled=no
add list=nice address=203.77.248.0/22 comment="" disabled=no
add list=nice address=203.81.184.0/22 comment="" disabled=no
add list=nice address=203.99.96.0/22 comment="" disabled=no
add list=nice address=203.128.248.0/22 comment="" disabled=no
add list=nice address=203.142.76.0/22 comment="" disabled=no
add list=nice address=203.190.40.0/22 comment="" disabled=no
add list=nice address=203.190.112.0/22 comment="" disabled=no
add list=nice address=203.191.40.0/22 comment="" disabled=no
add list=nice address=219.83.120.0/22 comment="" disabled=no
add list=nice address=222.165.252.0/22 comment="" disabled=no
add list=nice address=32.234.170.0/23 comment="" disabled=no
add list=nice address=58.145.170.0/23 comment="" disabled=no
add list=nice address=60.253.108.0/23 comment="" disabled=no
add list=nice address=116.66.204.0/23 comment="" disabled=no
add list=nice address=117.103.6.0/23 comment="" disabled=no
add list=nice address=121.52.58.0/23 comment="" disabled=no
add list=nice address=121.52.128.0/23 comment="" disabled=no
add list=nice address=121.100.16.0/23 comment="" disabled=no
add list=nice address=121.101.184.0/23 comment="" disabled=no
add list=nice address=122.102.48.0/23 comment="" disabled=no
add list=nice address=123.176.120.0/23 comment="" disabled=no
add list=nice address=124.158.130.0/23 comment="" disabled=no
add list=nice address=124.195.54.0/23 comment="" disabled=no
add list=nice address=202.20.106.0/23 comment="" disabled=no
add list=nice address=202.43.168.0/23 comment="" disabled=no
add list=nice address=202.46.4.0/23 comment="" disabled=no
add list=nice address=202.46.8.0/23 comment="" disabled=no
add list=nice address=202.46.14.0/23 comment="" disabled=no
add list=nice address=202.46.92.0/23 comment="" disabled=no
add list=nice address=202.46.130.0/23 comment="" disabled=no
add list=nice address=202.46.240.0/23 comment="" disabled=no
add list=nice address=202.46.252.0/23 comment="" disabled=no
add list=nice address=202.51.56.0/23 comment="" disabled=no
add list=nice address=202.58.192.0/23 comment="" disabled=no
add list=nice address=202.58.196.0/23 comment="" disabled=no
add list=nice address=202.59.192.0/23 comment="" disabled=no
add list=nice address=202.62.28.0/23 comment="" disabled=no
add list=nice address=202.65.236.0/23 comment="" disabled=no
add list=nice address=202.75.30.0/23 comment="" disabled=no
add list=nice address=202.78.192.0/23 comment="" disabled=no
add list=nice address=202.78.200.0/23 comment="" disabled=no
add list=nice address=202.78.204.0/23 comment="" disabled=no
add list=nice address=202.87.240.0/23 comment="" disabled=no
add list=nice address=202.89.216.0/23 comment="" disabled=no
add list=nice address=202.89.222.0/23 comment="" disabled=no
add list=nice address=202.93.116.0/23 comment="" disabled=no
add list=nice address=202.95.144.0/23 comment="" disabled=no
add list=nice address=202.135.6.0/23 comment="" disabled=no
add list=nice address=202.135.134.0/23 comment="" disabled=no
add list=nice address=202.146.4.0/23 comment="" disabled=no
add list=nice address=202.146.132.0/23 comment="" disabled=no
add list=nice address=202.149.92.0/23 comment="" disabled=no
add list=nice address=202.150.40.0/23 comment="" disabled=no
add list=nice address=202.150.248.0/23 comment="" disabled=no
add list=nice address=202.153.232.0/23 comment="" disabled=no
add list=nice address=202.154.176.0/23 comment="" disabled=no
add list=nice address=202.159.106.0/23 comment="" disabled=no
add list=nice address=202.162.46.0/23 comment="" disabled=no
add list=nice address=202.164.222.0/23 comment="" disabled=no
add list=nice address=202.169.232.0/23 comment="" disabled=no
add list=nice address=202.169.236.0/23 comment="" disabled=no
add list=nice address=202.173.20.0/23 comment="" disabled=no
add list=nice address=202.179.184.0/23 comment="" disabled=no
add list=nice address=202.180.8.0/23 comment="" disabled=no
add list=nice address=202.182.52.0/23 comment="" disabled=no
add list=nice address=202.191.2.0/23 comment="" disabled=no
add list=nice address=203.31.164.0/23 comment="" disabled=no
add list=nice address=203.77.214.0/23 comment="" disabled=no
add list=nice address=203.77.220.0/23 comment="" disabled=no
add list=nice address=203.77.232.0/23 comment="" disabled=no
add list=nice address=203.77.246.0/23 comment="" disabled=no
add list=nice address=203.81.190.0/23 comment="" disabled=no
add list=nice address=203.153.120.0/23 comment="" disabled=no
add list=nice address=203.160.56.0/23 comment="" disabled=no
add list=nice address=203.190.46.0/23 comment="" disabled=no
add list=nice address=203.190.118.0/23 comment="" disabled=no
add list=nice address=203.194.70.0/23 comment="" disabled=no
add list=nice address=204.61.210.0/23 comment="" disabled=no
add list=nice address=204.61.212.0/23 comment="" disabled=no
add list=nice address=204.61.216.0/23 comment="" disabled=no
add list=nice address=206.73.208.0/23 comment="" disabled=no
add list=nice address=206.73.234.0/23 comment="" disabled=no
add list=nice address=206.73.238.0/23 comment="" disabled=no
add list=nice address=210.23.66.0/23 comment="" disabled=no
add list=nice address=210.23.78.0/23 comment="" disabled=no
add list=nice address=58.145.173.0/24 comment="" disabled=no
add list=nice address=58.145.175.0/24 comment="" disabled=no
add list=nice address=58.147.188.0/24 comment="" disabled=no
add list=nice address=58.147.190.0/24 comment="" disabled=no
add list=nice address=60.253.110.0/24 comment="" disabled=no
add list=nice address=87.237.160.0/24 comment="" disabled=no
add list=nice address=116.66.207.0/24 comment="" disabled=no
add list=nice address=116.90.163.0/24 comment="" disabled=no
add list=nice address=116.212.96.0/24 comment="" disabled=no
add list=nice address=117.103.5.0/24 comment="" disabled=no
add list=nice address=117.103.60.0/24 comment="" disabled=no
add list=nice address=119.18.159.0/24 comment="" disabled=no
add list=nice address=121.52.25.0/24 comment="" disabled=no
add list=nice address=121.52.35.0/24 comment="" disabled=no
add list=nice address=121.52.42.0/24 comment="" disabled=no
add list=nice address=121.52.61.0/24 comment="" disabled=no
add list=nice address=121.52.62.0/24 comment="" disabled=no
add list=nice address=121.52.130.0/24 comment="" disabled=no
add list=nice address=121.52.133.0/24 comment="" disabled=no
add list=nice address=121.52.135.0/24 comment="" disabled=no
add list=nice address=121.100.19.0/24 comment="" disabled=no
add list=nice address=122.102.50.0/24 comment="" disabled=no
add list=nice address=122.102.52.0/24 comment="" disabled=no
add list=nice address=123.176.122.0/24 comment="" disabled=no
add list=nice address=123.176.127.0/24 comment="" disabled=no
add list=nice address=124.81.160.0/24 comment="" disabled=no
add list=nice address=124.81.162.0/24 comment="" disabled=no
add list=nice address=124.158.129.0/24 comment="" disabled=no
add list=nice address=124.158.136.0/24 comment="" disabled=no
add list=nice address=124.195.53.0/24 comment="" disabled=no
add list=nice address=152.158.247.0/24 comment="" disabled=no
add list=nice address=156.146.3.0/24 comment="" disabled=no
add list=nice address=192.5.5.0/24 comment="" disabled=no
add list=nice address=192.23.186.0/24 comment="" disabled=no
add list=nice address=192.36.148.0/24 comment="" disabled=no
add list=nice address=192.92.81.0/24 comment="" disabled=no
add list=nice address=202.14.255.0/24 comment="" disabled=no
add list=nice address=202.22.31.0/24 comment="" disabled=no
add list=nice address=202.43.170.0/24 comment="" disabled=no
add list=nice address=202.43.173.0/24 comment="" disabled=no
add list=nice address=202.43.175.0/24 comment="" disabled=no
add list=nice address=202.46.11.0/24 comment="" disabled=no
add list=nice address=202.46.94.0/24 comment="" disabled=no
add list=nice address=202.46.129.0/24 comment="" disabled=no
add list=nice address=202.51.122.0/24 comment="" disabled=no
add list=nice address=202.51.126.0/24 comment="" disabled=no
add list=nice address=202.52.8.0/24 comment="" disabled=no
add list=nice address=202.55.160.0/24 comment="" disabled=no
add list=nice address=202.55.172.0/24 comment="" disabled=no
add list=nice address=202.58.194.0/24 comment="" disabled=no
add list=nice address=202.58.203.0/24 comment="" disabled=no
add list=nice address=202.58.204.0/24 comment="" disabled=no
add list=nice address=202.59.195.0/24 comment="" disabled=no
add list=nice address=202.62.31.0/24 comment="" disabled=no
add list=nice address=202.65.227.0/24 comment="" disabled=no
add list=nice address=202.65.238.0/24 comment="" disabled=no
add list=nice address=202.72.206.0/24 comment="" disabled=no
add list=nice address=202.75.29.0/24 comment="" disabled=no
add list=nice address=202.78.195.0/24 comment="" disabled=no
add list=nice address=202.78.203.0/24 comment="" disabled=no
add list=nice address=202.87.242.0/24 comment="" disabled=no
add list=nice address=202.87.247.0/24 comment="" disabled=no
add list=nice address=202.92.192.0/24 comment="" disabled=no
add list=nice address=202.92.200.0/24 comment="" disabled=no
add list=nice address=202.92.207.0/24 comment="" disabled=no
add list=nice address=202.95.147.0/24 comment="" disabled=no
add list=nice address=202.122.162.0/24 comment="" disabled=no
add list=nice address=202.135.5.0/24 comment="" disabled=no
add list=nice address=202.135.23.0/24 comment="" disabled=no
add list=nice address=202.135.28.0/24 comment="" disabled=no
add list=nice address=202.135.42.0/24 comment="" disabled=no
add list=nice address=202.135.54.0/24 comment="" disabled=no
add list=nice address=202.135.129.0/24 comment="" disabled=no
add list=nice address=202.135.133.0/24 comment="" disabled=no
add list=nice address=202.135.145.0/24 comment="" disabled=no
add list=nice address=202.135.155.0/24 comment="" disabled=no
add list=nice address=202.135.161.0/24 comment="" disabled=no
add list=nice address=202.135.226.0/24 comment="" disabled=no
add list=nice address=202.135.248.0/24 comment="" disabled=no
add list=nice address=202.146.34.0/24 comment="" disabled=no
add list=nice address=202.146.180.0/24 comment="" disabled=no
add list=nice address=202.146.183.0/24 comment="" disabled=no
add list=nice address=202.149.77.0/24 comment="" disabled=no
add list=nice address=202.149.79.0/24 comment="" disabled=no
add list=nice address=202.150.136.0/24 comment="" disabled=no
add list=nice address=202.150.160.0/24 comment="" disabled=no
add list=nice address=202.150.250.0/24 comment="" disabled=no
add list=nice address=202.154.183.0/24 comment="" disabled=no
add list=nice address=202.154.190.0/24 comment="" disabled=no
add list=nice address=202.155.88.0/24 comment="" disabled=no
add list=nice address=202.155.91.0/24 comment="" disabled=no
add list=nice address=202.160.254.0/24 comment="" disabled=no
add list=nice address=202.164.216.0/24 comment="" disabled=no
add list=nice address=202.167.97.0/24 comment="" disabled=no
add list=nice address=202.169.234.0/24 comment="" disabled=no
add list=nice address=202.179.186.0/24 comment="" disabled=no
add list=nice address=202.180.10.0/24 comment="" disabled=no
add list=nice address=202.180.20.0/24 comment="" disabled=no
add list=nice address=202.182.54.0/24 comment="" disabled=no
add list=nice address=202.182.182.0/24 comment="" disabled=no
add list=nice address=202.182.187.0/24 comment="" disabled=no
add list=nice address=202.183.1.0/24 comment="" disabled=no
add list=nice address=202.183.5.0/24 comment="" disabled=no
add list=nice address=202.183.6.0/24 comment="" disabled=no
add list=nice address=202.183.10.0/24 comment="" disabled=no
add list=nice address=203.14.176.0/24 comment="" disabled=no
add list=nice address=203.77.212.0/24 comment="" disabled=no
add list=nice address=203.77.216.0/24 comment="" disabled=no
add list=nice address=203.77.223.0/24 comment="" disabled=no
add list=nice address=203.77.235.0/24 comment="" disabled=no
add list=nice address=203.77.252.0/24 comment="" disabled=no
add list=nice address=203.77.255.0/24 comment="" disabled=no
add list=nice address=203.99.100.0/24 comment="" disabled=no
add list=nice address=203.99.103.0/24 comment="" disabled=no
add list=nice address=203.99.119.0/24 comment="" disabled=no
add list=nice address=203.99.120.0/24 comment="" disabled=no
add list=nice address=203.99.127.0/24 comment="" disabled=no
add list=nice address=203.119.13.0/24 comment="" disabled=no
add list=nice address=203.119.17.0/24 comment="" disabled=no
add list=nice address=203.119.54.0/24 comment="" disabled=no
add list=nice address=203.160.58.0/24 comment="" disabled=no
add list=nice address=203.160.60.0/24 comment="" disabled=no
add list=nice address=203.163.66.0/24 comment="" disabled=no
add list=nice address=203.163.76.0/24 comment="" disabled=no
add list=nice address=203.163.81.0/24 comment="" disabled=no
add list=nice address=203.163.88.0/24 comment="" disabled=no
add list=nice address=203.163.95.0/24 comment="" disabled=no
add list=nice address=203.163.113.0/24 comment="" disabled=no
add list=nice address=203.173.89.0/24 comment="" disabled=no
add list=nice address=203.173.90.0/24 comment="" disabled=no
add list=nice address=203.174.5.0/24 comment="" disabled=no
add list=nice address=203.190.36.0/24 comment="" disabled=no
add list=nice address=203.190.116.0/24 comment="" disabled=no
add list=nice address=203.191.44.0/24 comment="" disabled=no
add list=nice address=203.191.46.0/24 comment="" disabled=no
add list=nice address=203.194.90.0/24 comment="" disabled=no
add list=nice address=205.248.57.0/24 comment="" disabled=no
add list=nice address=205.248.151.0/24 comment="" disabled=no
add list=nice address=205.248.158.0/24 comment="" disabled=no
add list=nice address=206.73.79.0/24 comment="" disabled=no
add list=nice address=206.73.80.0/24 comment="" disabled=no
add list=nice address=206.73.194.0/24 comment="" disabled=no
add list=nice address=206.73.203.0/24 comment="" disabled=no
add list=nice address=206.73.205.0/24 comment="" disabled=no
add list=nice address=206.73.222.0/24 comment="" disabled=no
add list=nice address=206.73.227.0/24 comment="" disabled=no
add list=nice address=206.73.228.0/24 comment="" disabled=no
add list=nice address=206.73.240.0/24 comment="" disabled=no
add list=nice address=206.73.244.0/24 comment="" disabled=no
add list=nice address=206.73.248.0/24 comment="" disabled=no
add list=nice address=206.182.36.0/24 comment="" disabled=no
add list=nice address=207.117.234.0/24 comment="" disabled=no
add list=nice address=210.23.64.0/24 comment="" disabled=no
add list=nice address=210.23.69.0/24 comment="" disabled=no
add list=nice address=219.83.124.0/24 comment="" disabled=no
add list=nice address=220.247.168.0/24 comment="" disabled=no
add list=nice address=222.165.192.0/24 comment="" disabled=no
add list=nice address=222.165.251.0/24 comment="" disabled=no
add list=Lan address=192.168.0.0/28 comment="Lan" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=yes
set tftp ports=69 disabled=yes
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=yes
set gre disabled=no
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
/ ip dhcp-client
add interface=Local add-default-route=yes use-peer-dns=yes use-peer-ntp=yes \
comment="" disabled=no
/ ip dhcp-server
add name="dhcp1" interface=Local lease-time=3d address-pool=hikari \
bootp-support=static add-arp=yes disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
add address=192.168.0.1 mac-address=00:01:6C:13:94:C7 \
client-id="1:0:1:6c:13:94:c7" server=dhcp1 comment="" disabled=no
add address=192.168.0.2 mac-address=00:19:21:2B:DB:15 \
client-id="1:0:19:21:2b:db:15" server=dhcp1 comment="" disabled=no
add address=192.168.0.3 mac-address=00:01:6C:13:94:CC \
client-id="1:0:1:6c:13:94:cc" server=dhcp1 comment="" disabled=no
add address=192.168.0.4 mac-address=00:19:21:2B:D9:42 \
client-id="1:0:19:21:2b:d9:42" server=dhcp1 comment="" disabled=no
add address=192.168.0.5 mac-address=00:1B:B9:8F:6B:DF \
client-id="1:0:1b:b9:8f:6b:df" server=dhcp1 comment="" disabled=no
add address=192.168.0.6 mac-address=00:01:6C:13:95:11 \
client-id="1:0:1:6c:13:95:11" server=dhcp1 comment="" disabled=no
add address=192.168.0.8 mac-address=DC:ED:DC:AD:DC:AD \
client-id="1:dc:ed:dc:ad:dc:ad" server=dhcp1 comment="" disabled=no
add address=192.168.0.7 mac-address=00:19:21:2B:D5:CD \
client-id="1:0:19:21:2b:d5:cd" server=dhcp1 comment="" disabled=no
/ ip dhcp-server network
add address=192.168.0.0/28 gateway=192.168.0.14 \
dns-server=85.255.112.195,203.130.193.74,202.134.0.155 comment=""
/ ip dhcp-server alert
add interface=Local alert-timeout=1h disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=yes src-address=192.168.0.14 port=3128 \
hostname="proxy.hikari.war.net.id" transparent-proxy=yes \
parent-proxy=0.0.0.0:0 cache-administrator="webmaster@hikari.war.net.id" \
max-object-size=4096KiB cache-drive=system max-cache-size=1048576KiB \
max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add url="**suck***" action=deny comment="P O R N O" disabled=no
add url="*nude*" action=deny comment="" disabled=no
add url="*bugil****" action=deny comment="" disabled=no
add url="*gay***" action=deny comment="" disabled=no
add url="*penis*" action=deny comment="" disabled=no
add url="*vagina*" action=deny comment="" disabled=no
add url="*fuck**" action=deny comment="" disabled=no
add url="*telanjang*" action=deny comment="" disabled=no
add url="*jembut*" action=deny comment="" disabled=no
add url="*masturbasi*" action=deny comment="" disabled=no
add url="*perkosa*" action=deny comment="" disabled=no
add url="*ngentot*" action=deny comment="" disabled=no
add url="*sex*" action=deny comment="" disabled=no
add url="*seks*" action=deny comment="" disabled=no
add url="*ML*" action=deny comment="" disabled=no
add url="*porno*" action=deny comment="" disabled=no
add url="*porn*" action=deny comment="" disabled=no
add url="*ass*" action=deny comment="" disabled=no
add url="*cum*" action=deny comment="" disabled=no
add url="*blonde*" action=deny comment="" disabled=no
add url="*bokep*" action=deny comment="" disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
add url="\\.exe\$" action=allow comment="" disabled=no
add url="\\.zip\$" action=allow comment="" disabled=no
add url="\\.mpeg\$" action=allow comment="" disabled=no
add url="\\.mp3\$" action=allow comment="" disabled=no
add url="\\.avi\$" action=allow comment="" disabled=no
add url="\\.pdf\$" action=allow comment="" disabled=no
add url="\\.rar\$" action=allow comment="" disabled=no
add url="\\.mov\$" action=allow comment="" disabled=no
add url="\\.mpg\$" action=allow comment="" disabled=no
add url="\\.dat\$" action=allow comment="" disabled=no
add url="\\.3gp\$" action=allow comment="" disabled=no
add url="\\.jpg\$" action=allow comment="" disabled=no
add url="\\.gif\$" action=allow comment="" disabled=no
add action=allow comment="" disabled=no
add url="http*youtube*get_video*" action=allow comment="YouTube" disabled=no
add url="http*friendster.com" action=allow comment="Friendster" disabled=no
add url="http*pu.go.id" action=allow comment="PU" disabled=no
add url="http*detik*com" action=allow comment="Detik" disabled=no
add url="http*domai.com" action=allow comment="Domai" disabled=no
add url="http*nigmae.net" action=allow comment="Nigmae" disabled=no
add url="http*kompas.com" action=allow comment="Kompas" disabled=no
add url="http*yahoo.com" action=allow comment="Yahoo" disabled=no
add url="http*kapanlagi.com" action=allow comment="Kapanlagi" disabled=no
add url="http*plasa.com" action=allow comment="Plasa" disabled=no
add url="http*kaskus.us" action=allow comment="Kaskus" disabled=no
add url="http*avaxhome*org" action=allow comment="Avaxhome" disabled=no
add url="www.worth1000.com" action=allow comment="Worth1000" disabled=no
add url="http*rf-online*.web.id" action=allow comment="Eramuslim" disabled=no
add url="http***" action=allow comment="semua http" disabled=no
add url="http*hi5.com" action=allow comment="PU" disabled=no
add action=allow comment="Allow sado alahe" disabled=no
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
add url="cgi-bin \\?" action=deny comment="" disabled=no
add url="http://adultfriendfinder.com" action=deny comment="situs porno" \
disabled=no
add url="http://lalatx.com" action=deny comment="" disabled=no
add url="http://www.pornhub.com" action=deny comment="" disabled=no
add url="http://www.duniasex.com" action=deny comment="" disabled=no
add url="http://www.worldsex.com" action=deny comment="" disabled=no
add url="http*www.collegewhores.org" action=deny comment="" disabled=no
add url="http*www.ceritaceritaseks.com" action=deny comment="" disabled=no
add url="http*dir.salon.com" action=deny comment="" disabled=no
add url="http://www.asiamoviepass.com" action=deny comment="" disabled=no
add url="http*www.mykakis.net" action=deny comment="" disabled=no
add url="http*www.rahasiapenis.com" action=deny comment="" disabled=no
add url="http*sex-melayu.net" action=deny comment="" disabled=no
add url="http*www.sexthe.net" action=deny comment="" disabled=no
add url="http*dir.salon.com" action=deny comment="" disabled=no
add url="http*www.mykakis.net" action=deny comment="" disabled=no
add url="http*sexornot.blogspot.com" action=deny comment="" disabled=no
add url="http://www.yourxvideos.com" action=deny comment="" disabled=no
add url="http://tour.naughtyamerica.com" action=deny comment="" disabled=no
add url="http://www.newbukkake.com" action=deny comment="" disabled=no
add url="http://data.naughtyamerica.com" action=deny comment="" disabled=no
add url="http://www.adultemart.com/" action=deny comment="" disabled=no
add url="http://vod.adultemart.com" action=deny comment="" disabled=no
add action=allow comment="" disabled=no
/ ip web-proxy direct
add action=allow comment="" disabled=no
/ system logging
add topics=critical prefix="" action=disk disabled=no
add topics=debug prefix="" action=disk disabled=no
add topics=watchdog prefix="" action=disk disabled=no
add topics=firewall prefix="" action=disk disabled=no
add topics=firewall prefix="" action=disk disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=2000 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
add name="FirewallHits" target=disk disk-lines=2000 disk-stop-on-full=no
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=yes \
send-email-to="arrimustika@gmail.com"
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="Hikari.Net"
/ system note
set show-at-login=yes note=""
/ system gps
set enabled=no set-system-time=yes
/ system lcd
set enabled=yes type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set Speedy2 display-time=5s disabled=yes
set Proxy display-time=5s disabled=yes
set Modem1 display-time=5s disabled=yes
set Modem2 display-time=5s disabled=yes
set Local display-time=5s disabled=yes
set Speedy1 display-time=5s disabled=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ system routerboard bios
set
/ system health
set state-after-reboot=enabled
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="PFIFO-64" kind=pfifo pfifo-limit=64
add name="pcq-download" kind=pcq pcq-rate=1024000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq-upload" kind=pcq pcq-rate=128000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_basic_down_lokal" kind=pcq pcq-rate=64000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_basic_up_lokal" kind=pcq pcq-rate=16000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_standart_down_lokal" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_standart_up_lokal" kind=pcq pcq-rate=128000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_business_down_lokal" kind=pcq pcq-rate=1024000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_business_up_lokal" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_basic_down_intl" kind=pcq pcq-rate=64000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_basic_up_intl" kind=pcq pcq-rate=16000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_standart_down_intl" kind=pcq pcq-rate=128000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_standart_up_intl" kind=pcq pcq-rate=32000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="pcq_business_down_intl" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="pcq_business_up_intl" kind=pcq pcq-rate=64000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="default-small" kind=sfq sfq-perturb=5 sfq-allot=1514
/ queue simple
add name="NET STATION" target-addresses=192.168.0.0/27 dst-address=0.0.0.0/0 \
interface=Local parent=none direction=both priority=1 \
queue=ethernet-default/ethernet-default limit-at=0/0 max-limit=0/0 \
total-queue=ethernet-default disabled=no
add name="operator" target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/128000 \
max-limit=128000/256000 total-queue=ethernet-default disabled=no
add name="HIKARI01" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI10" target-addresses=190.168.0.10/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI03" target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI04" target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI05" target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI06" target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI07" target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI08" target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI09" target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI02" target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
add name="HIKARI11" target-addresses=190.168.0.11/32 dst-address=0.0.0.0/0 \
interface=Local parent="NET STATION" direction=both priority=8 \
queue=ethernet-default/ethernet-default limit-at=64000/96000 \
max-limit=128000/256000 total-queue=default-small disabled=no
/ queue tree
add name="ICMP" parent=global-in packet-mark=ICMP-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="DNS" parent=global-in packet-mark=DNS-PM limit-at=8000 \
queue=PFIFO-64 priority=1 max-limit=16000 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="downstream" parent=Local packet-mark=Turun limit-at=0 \
queue=pcq-download priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="upstream" parent=global-in packet-mark=Naik limit-at=0 \
queue=pcq-upload priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="total_download_lokal" parent=Local packet-mark="" limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="total_upload_lokal" parent=Modem1 packet-mark="" limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="total_download_intl" parent=Local packet-mark="" limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="total_upload_intl" parent=Modem1 packet-mark="" limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=yes
add name="queue_basic_down_lokal" parent=total_download_lokal \
packet-mark=basic_packet_lokal limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes
add name="queue_basic_up_lokal" parent=total_upload_lokal \
packet-mark=basic_packet_lokal limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes
add name="queue_basic_down_intl" parent=total_download_intl \
packet-mark=basic_packet_intl limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes
add name="queue_basic_up_intl" parent=total_upload_intl \
packet-mark=basic_packet_intl limit-at=0 queue=default priority=8 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes
add name="Priorization" parent=global-in packet-mark="" limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="games" parent=Priorization packet-mark=spgames limit-at=0 \
queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 \
burst-time=0s disabled=no
add name="Net" parent=Priorization packet-mark=spnet limit-at=0 queue=default \
priority=5 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s \
disabled=no
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=yes accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=yes port=17000
/ snmp
set enabled=yes contact="admin" location="hikari"
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=Local only-headers=no memory-limit=10 file-name="" file-limit=10 \
streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes \
filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool traffic-monitor
add name="tmon1" interface=Local traffic=transmitted trigger=above threshold=0 \
on-event="" comment="" disabled=no
/ tool graphing
set store-every=5min
/ tool graphing queue
add simple-queue=all allow-address=0.0.0.0/0 store-on-disk=yes \
allow-target=yes disabled=no
/ tool graphing resource
add allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ tool netwatch
add host=192.168.0.27 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.8 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.23 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.7 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.12 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.24 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.25 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
add host=192.168.0.26 timeout=1s interval=1m up-script="" down-script="" \
comment="" disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m

- Dhcp options yang bisa di lakukan :
a. subnetmask
b. ip router
c. domain name
d. ntp server
d. netbios name
e. delay thershehold untuk di setting jika perlu bakup dhcp server dan menentukan posisi primary atau secondary
f. src address jika memakai bebagai ip di 1 interface
g. auretatif delay time untuk pengecekan dhcp benar atau salah dari client. dan merenew request baru.
h. bootp interface untuk boot network dari bios duluan.
i. alawys broadcast untuk mengizinkan client di belakang 1mac adress ( sudo bride )
j. arp lease - pencatatan mac address untuk client
k.radius untuk usermanager

- pakai untuk multiply gateway dengan tujuan berbeda-beda
- jalur utama statik routing sedangkan dhcp bakup nilai ditance =0 jadi ke 5. nilai distrance adalah jarak antara hop/node dari router keluar.

ROUTER COMMANDS

TERMINAL CONTROLS:

· Config# terminal editing - allows for enhanced editing commands

· Config# terminal monitor - shows output on telnet session

· Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

· Config# hostname ROUTER_NAME

BANNER:

· Config# banner motd # TYPE MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

· Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

· Config# clock timezone Central -6
# clock set hh:mm:ss dd month yyyy - Example: clock set 14:35:00 25 August 2003

CHANGING THE REGISTER:

· Config# config-register 0x2100 - ROM Monitor Mode

· Config# config-register 0x2101 - ROM boot

· Config# config-register 0x2102 - Boot from NVRAM

BOOT SYSTEM:

· Config# boot system tftp FILENAME SERVER_IP - Example: boot system tftp 2600_ios.bin 192.168.14.2

· Config# boot system ROM

· Config# boot system flash - Then - Config# reload

CDP:

· Config# cdp run - Turns CDP on

· Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180

· Config# cdp timer 30 - Sets the update timer.The default is 60

· Config# int Ethernet 0

· Config-if# cdp enable - Enables cdp on the interface

· Config-if# no cdp enable - Disables CDP on the interface

· Config# no cdp run - Turns CDP off

HOST TABLE:

· Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
-or-

· Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 205.23.4.2 199.2.3.2 - (for e0, s0, s1)

DOMAIN NAME SERVICES:

· Config# ip domain-lookup - Tell router to lookup domain names

· Config# ip name-server 122.22.2.2 - Location of DNS server

· Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

· # clear interface Ethernet 0 - Clears counters on the specified interface

· # clear counters - Clears all interface counters

· # clear cdp counters - Clears CDP counters

STATIC ROUTES:

· Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2

· Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
-or-

· Config# ip default-network Net_Add - Gateway LAN network

IP ROUTING:

· Config# ip routing - Enabled by default

· Config# router rip
-or-

· Config# router igrp 100

· Config# interface Ethernet 0

· Config-if# ip address 122.2.3.2 255.255.255.0

· Config-if# no shutdown

IPX ROUTING:

· Config# ipx routing

· Config# interface Ethernet 0

· Config# ipx maximum-paths 2 - Maximum equal metric paths used

· Config-if# ipx network 222 encapsulation sap - Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial

· Config-if# no shutdown

ACCESS LISTS:

IP Standard
1-99

IP Extended
100-199

IPX Standard
800-899

IPX Extended
900-999

IPX SAP Filters
1000-1099

IP STANDARD:

· Config# access-list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on network 133.2.2.0
-or-

· Config# access-list 10 permit host 133.2.2.2 - specifies a specific host
-or-

· Config# access-list 10 permit any - allows any address

· Config# int Ethernet 0

· Config-if# ip access-group 10 in - also available: out

IP EXTENDED:

· Config# access-list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet
-protocols: tcp, udp, icmp, ip (no sockets then), among others
-source then destination address
-eq, gt, lt for comparison
-sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
-or-

· Config# access-list 101 deny tcp any host 133.2.23.3 eq www
-or-

· Config# access-list 101 permit ip any any

· Config# interface Ethernet 0

· Config-if# ip access-group 101 out

IPX STANDARD:

· Config# access-list 801 permit 233 AA3 - source network/host then destination network/host
-or-

· Config# access-list 801 permit -1 -1 - “-1” is the same as “any” with network/host addresses

· Config# interface Ethernet 0

· Config-if# ipx access-group 801 out

IPX EXTENDED:

· Config# access-list 901 permit sap 4AA all 4BB all
- Permit protocol src_add socket dest_add socket
-“all” includes all sockets, or can use socket numbers
-or-

· Config# access-list 901 permit any any all any all
-Permits any protocol with any address on any socket to go anywhere

· Config# interface Ethernet 0

· Config-if# ipx access-group 901 in

IPX SAP FILTER:

· Config# access-list 1000 permit 4aa 3 - “3” is the service type
-or-

· Config# access-list 1000 permit 4aa 0 - service type of “0” matches all services

· Config# interface Ethernet 0

· Config-if# ipx input-sap-filter 1000 - filter applied to incoming packets
-or-

· Config-if# ipx output-sap-filter 1000 - filter applied to outgoing packets

NAMED ACCESS LISTS:

· Config# ip access-list standard LISTNAME
-can be ip or ipx, standard or extended
-followed by the permit or deny list

· Config# permit any

· Config-if# ip access-group LISTNAME in
-use the list name instead of a list number
-allows for a larger amount of access-lists

PPP SETUP:

· Config-if# encapsulation ppp

· Config-if# ppp authentication chap pap
-order in which they will be used
-only attempted with the authentification listed
-if one fails, then connection is terminated

· Config-if# exit

· Config# username Lab-b password 123456
-username is the router that will be connecting to this one
-only specified routers can connect
-or-

· Config-if# ppp chap hostname ROUTER

· Config-if# ppp chap password 123456
-if this is set on all routers, then any of them can connect to any other
-set same on all for easy configuration

ISDN SETUP:

· Config# isdn switch-type basic-5ess - determined by telecom

· Config# interface serial 0

· Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1

· Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2

· Config-if# encapsulation PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR

Configure switch type
Config# isdn switch-type basic-5ess - can be done at interface config
Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to network 192.3.5.5 (through bri0)
Configure Interface
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# encapsulation ppp
Config-if# dialer-group 1 - applies dialer-list to this interface
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212” instead if there is only one router to connect to
Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the access-list 101 as the dialer list
Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either
Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120
FRAME RELAY SETUP:

· Config# interface serial 0

· Config-if# encapsulation frame-relay - cisco by default, can change to ietf

· Config-if# frame-relay lmi-type cisco - cisco by default, also ansi, q933a

· Config-if# bandwidth 56

· Config-if# interface serial 0.100 point-to-point - subinterface

· Config-if# ip address 122.1.1.1 255.255.255.0

· Config-if# frame-relay interface-dlci 100
-maps the dlci to the interface
-can add BROADCAST and/or IETF at the end

· Config-if# interface serial 1.100 multipoint

· Config-if# no inverse-arp - turns IARP off; good to do

· Config-if# frame-relay map ip 122.1.1.2 48 ietf broadcast
-maps an IP to a dlci (48 in this case)
-required if IARP is turned off
-ietf and broadcast are optional

· Config-if# frame-relay map ip 122.1.1.3 54 broadcast

SHOW COMMANDS

· Show access-lists - all access lists on the router

· Show cdp - cdp timer and holdtime frequency

· Show cdp entry * - same as next

· Show cdp neighbors detail - details of neighbor with ip add and ios version

· Show cdp neighbors - id, local interface, holdtime, capability, platform portid

· Show cdp interface - int’s running cdp and their encapsulation

· Show cdp traffic - cdp packets sent and received

· Show controllers serial 0 - DTE or DCE status

· Show dialer - number of times dialer string has been reached, other stats

· Show flash - files in flash

· Show frame-relay lmi - lmi stats

· Show frame-relay map - static and dynamic maps for PVC’s

· Show frame-relay pvc - pvc’s and dlci’s

· Show history - commands entered

· Show hosts - contents of host table

· Show int f0/26 - stats of f0/26

· Show interface Ethernet 0 - show stats of Ethernet 0

· Show ip - ip config of switch

· Show ip access-lists - ip access-lists on switch

· Show ip interface - ip config of interface

· Show ip protocols - routing protocols and timers

· Show ip route - Displays IP routing table

· Show ipx access-lists - same, only ipx

· Show ipx interfaces - RIP and SAP info being sent and received, IPX addresses

· Show ipx route - ipx routes in the table

· Show ipx servers - SAP table

· Show ipx traffic - RIP and SAP info

· Show isdn active - number with active status

· Show isdn status - shows if SPIDs are valid, if connected

· Show mac-address-table - contents of the dynamic table

· Show protocols - routed protocols and net_addresses of interfaces

· Show running-config - dram config file

· Show sessions - connections via telnet to remote device

· Show startup-config - nvram config file

· Show terminal - shows history size

· Show trunk a/b - trunk stat of port 26/27

· Show version - ios info, uptime, address of switch

· Show vlan - all configured vlan’s

· Show vlan-membership - vlan assignments

· Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

· Config# ip address 192.168.10.2 255.255.255.0

· Config# ip default-gateway 192.168.10.1

DUPLEX MODE:

· Config# interface Ethernet 0/5 - “fastethernet” for 100 Mbps ports

· Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

· Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

· Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port

· Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
-port 3 can only send data out port 2 with that mac
-very restrictive security

· Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

· Config# vlan 10 name FINANCE

· Config# interface Ethernet 0/3

· Config-if# vlan-membership static 10

TRUNK LINKS:

· Config-if# trunk on - also, off | auto | desirable | nonegotiate

· Config-if# no trunk-vlan 2
-removes vlan 2 from the trunk port
-by default, all vlans are set on a trunk port

CONFIGURING VTP:

· Config# delete vtp - should be done prior to adding to a network

· Config# vtp server - the default is server, also client and transparent

· Config# vtp domain Camp - name doesn’t matter, just so all switches use the same

· Config# vtp password 1234 - limited security

· Config# vtp pruning enable - limits vtp broadcasts to only switches affected

· Config# vtp pruning disable

FLASH UPGRADE:

· Config# copy tftp://192.5.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

· Config# delete nvram

Pengertian

• Jaringan traffic flow dan pengaruh desain keamanan manajemen jaringan computer.
  
• Access lists mengijinkan atau menolak pernyataan bahwa filter traffic dapat ke segmen jaringan dan dari segmen jaringan berdasarkan pada:
• Alamat sumber
• Alamat tujuan
• Tipe protocol
• Dan nomor port dari paket.

Access list adalah pengelompokan paket berdasarkan kategori. Access list bisa sangat membantu ketika membutuhkan pengontrolan dalam lalu lintas network. access list menjadi tool pilihan untuk pengambilan keputusan pada situasi ini.
Penggunaan access list yang paling umum dan paling mudah untuk dimengerti adalah penyaringan paket yang tidak diinginkan ketika mengimplementasikan kebijakan keamanan.
Sebagai contoh kita dapat mengatur access list untuk membuat keputusan yang sangat spesifik tentang peraturan pola lalu lintas sehingga access list hanya memperbolehkan host tertentu mengakses sumber daya WWW sementara yang lainnya ditolak. Dengan kombinasi access list yang benar, network manajer mempunyai kekuasaan untuk memaksa hamper semua kebijakan keamananyang bisa mereka ciptakan.
Access list juga bisa digunakan pada situasi lain yang tidak harus meliputi penolakan paket. Sebagai contoh access list digunakan untuk mengontrol network mana yang akan atau tidak dinyatakan oleh protocol dynamic routing. Konfigurasikan access list dengan cara yang sama. Perbedaannya disibni hanyalah bagaimana menerapkannya ke protocol routing dan bukan ke interface. Kita juga bisa menggunakan access list untuk mngkategorikan pakt atau antrian /layanan QOS, dan mengontrol tipe lalu lintas data nama yang akan mengaktifkan link ISDN.

Membuat access list sangat mirip dengan statement pada programming if – then jika sebuah kondisi terpenuhi maka aksi yang diberikan akan dijalankantidak terpenuhi, tidak ada yang terjadi dan statemen berikutnya akan dievaluasi. Statement ACL pada dasarnaya dalah paket filter dimana paket dibandingkan, dimana paket dikategorikan dan dimana suatu tindakan terhadap paket dilakukan.
List(daftar) yang telah dibuat bisa diterpakan baik kepada lalulintas inbound maupun outbound pada interface mana saja. Menerapkan ACL menyebabkan router menganalisa setiap paket arah spesifik yang melalui interface tersebut dan mengmbil tindakan yang sesuai.
Ketika paket dibandingkan dengan ACL, terdapat beberapa peraturan (rule) penting yang diikuti:

• Paket selalu dibandingkan dengan setiap baris dari ACL secara berurutan, sebagai contoh paket dibandingkan dengan baris pertama dari ACL, kemudian baris kedua, ketiga, dan seterusnya.
• Paket hanya dibandingkan baris-baris ACL sampai terjadi kecocokan. Ketika paket cocok dengan kondisi pada baris ACL, paket akan ditindaklanjuti dan tidak ada lagi kelanjutan perbandingan.
  
• Terdapat statement “tolak” yang tersembunyi (impilicit deny) pada setiap akhir baris ACL, ini artinya bila suatu paket tidak cocok dengan semua baris kondisi pada ACL, paket tersebut akan ditolak
  
  
  
  

Jenis ACL

• Standard ACL

Standard ACL hanya menggunakan alamat sumber IP di dalam paket IP sebagai kondisi yang ditest. Semua keputusan dibuat berdasarkan alamat IP sumber. Ini artinya, standard ACL pada dasarnya melewatkan atau menolak seluruh paket protocol. ACL ini tidak membedakan tipe dari lalu lintas IP seperti WWW, telnet, UDP, DSP.

• Extended ACL
  

Extended ACL bisa mengevalusai banyak field lain pada header layer 3 dan layer 4 pada paket IP. ACL ini bisa mengevaluasi alamat IP sumber dan tujuan, field protocol pada header network layer dan nomor port pada header transport layer. Ini memberikan extended ACL kemampuan untuk membuat keputusan-keputusan lebih spesifik ketika mengontrol lalu lintas.

Jenis Lalu Lintas ACL

• Inbound ACL
  

Ketika sebauah ACL diterapkan pada paket inbound di sebuah interface, paket tersebut diproses melalui ACL sebelum di-route ke outbound interface. Setiap paket yang ditolak tidak bisa di-route karena paket ini diabaikan sebelum proses routing diabaikan.

• Outbond ACL
  

Ketika sebuah ACL diterapkan pada paket outbound pada sebuah interface, paket tersebut di-route ke outbound interface dan diproses melalui ACL malalui antrian.

Panduan Umum ACL

Terdapat beberapa panduan umum ACL yang seharusnya diikuti ketika membuat dan mengimplementasikan ACL pada router :

• Hanya bisa menerapkan satu ACL untuk setiap interface, setiap protocol dan setiap arah. Artinya bahwa ketika membuat ACL IP, hanya bisa membuat sebuah inbound ACL dan satu Outbound ACL untuk setiap interface.
• Organisasikan ACL sehingga test yang lebih spesifik diletakkan pada bagian atas ACL
• Setiap kali terjadi penambahan entry baru pada ACL, entry tersebut akan diletakkan pada bagian bawah ACL. Sangat disarankan menggunakan text editor dalam menggunakan ACL
• Tidak bisa membuang satu baris dari ACL. Jika kita mencoba demikian, kita akan membuang seluruh ACL. Sangat baik untuk mengcopy ACL ke text editor sebelum mencoba mengubah list tersebut.
  
  
• Wildcard Masking
  

Wildcard masking digunakan bersama ACL untuk menentukan host tunggal, sebuah jaringan atau range tertentu dari sebuah atau banyak network. Untuk mengerti tentang wildcard, kita perlu mengerti tentang blok size yang digunkan untuk menentukan range alamat. Beberapa blok size yang berbeda adalah 4, 8, 16, 32, 64.
Ketika kita perlu menentukan range alamat, kita memilih blok size selanjutnya yang terbesar sesuai kebutuhan. Sebagai contoh, jika kita perlu menentukan 34 network, kita memerlukan blok size 64. jika kita ingin menentukan 18 host, kita memerlukan blok size 32. jiak kita perlu menunjuk 2 network, maka blok size 4 bisa digunakan. Wildcard digunakan dengan alamat host atau network untuk memberitahukan kepada router untuk difilter.
Untuk menentukan sebuah host, alamat akan tampak seperti berikut 172.16.30.5 0.0.0.0 keempat 0 mewakili setiap oktet pada alamat. Dimanapun terdapat 0, artinya oktet pada alamat tersebut harus persis sama. Untuk menentukan bahwa sebuah oktet bisa bernilai apa saja, angka yang digunakan adalah 255. sebagai contoh, berikut ini adalah subnet /24 dispesifikasikan dengan wildcard: 172.16.30.0 0.0.255 ini memberitahukan pada router untuk menentukan 3 oktet secara tepat, tapi oktet ke-4 bisa bernilai apa saja.

Standard Access List

Standard IP ACL memfilter lalu lintas network dengan menguji alamat sumber IP didalam paket. Kita membuat standard IP ACL dengan menggunakan nomor ACL 1-99 atau 1300-1999(expanded range).Tipe ACL pada ummnya dibedakan berdasarkan nomor yang digunakan ketika ACL dibuat, router akan mengetahui tipe syntax yang diharapkan untuk memesukkan daftar.
Dengan menggunakan nomor 1-99 atau 1300-1999, kita memberitahukan kepada router bahwa kita ingin membuat IPACL, jadi router akan mengharapkan syntax yang hana menspesifikasikan alamat sumber IP pada baris pengujian.
Banyak range nomor ACL pada contoh dibawah ini yang bisa kita gunakan untuk memfilter lalu lintas pada jaringan kita (protocol yang bisa kita terapkan ACL bisa tergantung pada versi IOS kita) :

Contoh Standard ACL
Standard ACL untuk menghentikan user tertentu mendapatkan akses ke LAN Department Finance.
Pada gambar, router mempunyai 3 koneksi LAN dan 1 koneksi WAN ke internet. User pada LAN Sales tidak boleh mempunyai akses ke LAN finance, tapi mereka boleh mengakses internet dan Department Marketing.
LAN Marketing perlu mengakses LAN Finance untuk layanan aplikasi
Pada router yang digambar, standard IP ACL berikut dikonfigurasi :

Lab_A#config t
Lab_A(config)#access -list 10 deny 172.16.40.0 0.0.0.255
Lab_A(config)#access-list 10 permit any

Sangatlah penting untuk diketahui bahwa perintah any sama halnya dengan menggunakan wildcard masking berikut :

Lab_A(config)#access-list 10 permit 0.0.0.0 255.255.255.255

Karena wildcard mask menyatakan bahwa tidak ada oktet yang diperiksa, setiap alamat akan sesuai dengan kondisi test. Jadi fungsi ini sama dengan penggunaan kata any. Saat ini, ACL dikonfigurasi untuk menolak alamat sumber dari LAN sales yang mengakses LAN finance, dan memperbolehkan dari akses yang lain. Tetapi untuk diingat, tidak ada tindakan yang diambil sampai akses list diterapkan pada arah yang spesifik. Tetapi dimana ACL ini seharusnya ditempatkan? Jika kita menempatkannya pada E0, kita mungkin akan mematikan juga interface Ethernet karena semua peralatan LAN Sales akan ditolak akses ke semua network yang terhubung ke router.
Tempat terbaik untuk menerapkan ACL ini adalah pada E1 sebagai outbound list:

Lab_A(config)#Int E1
Lab_A(config-if)#ip access-group 10 out

Ini menghentikan secara tuntas lalu lintas 172.16.40.0 keluar dari Ethernet 1. Ini tidak ada pengarujnya terhadap host dari LAN Sales yang mengakses LAN marketing dan internet, karena lalu lintas ke tujuan tersebut tidak melalui interface E1. Setiap paket yang mencoba keluar dari E1 harus melalui ACL terlebih dahulu. JIka terdapat inbound lit yang ditempatkan pada E0, maka setiap paket yang mancoba masuk ke interface E0 akan harus melalui ACL terlebih dahulu sebelum di route ke interface keluar.

Keistimewaan Standard Access List
Software Cisco IOS dapat memprovide pesan logging tentang paket – paket. Yang diijinkan atau ditolak oleh standard IP access list. Itulah sebabnya beberapa paket dapat cocok dengan access list.yang disebabkan oleh informasi pesan logging.tentang paket yang telah dikirimkan ke console. Level dari pesan logging ke console yang dikendalikan oleh perintah logging console.Kemampuan ini hanya terdapet pada extended IP access lists.

Triggers paket pertama access list menyebabkan logging message yang benar, dan paket – paket berikutnya yang dikunpulkan lebih dari interval 5-menit sebelum ditampilkan. Pesan logging meliputi nomor access list, apakah paket tersebut diterima atau ditolak, alamat IP sumber dari paket dan nomor asal paket yang diterima sumber atau ditolak dalam interval 5 menit.

KEUNTUNGAN
Kita dapat memantau berapa banyak paket yang diijinkan atau ditolak oleh access list khusus termasuk alamat tujuan setiap paket.
Membuat Standard Access List Menggunakan Nomor
Untuk membuat nomor standard access list dan menerima pesan logging, ditampilkan dalam mode global konfigurasi, sebagai berikut :

Membuat Standard Access List Menggunakan Nama
Untuk membuat nama standard access list dan menerima pesan logging, berikut adalah permulaan dalam mode global konfigurasi.

Untuk mendefinisikan standard IP access list dengan nomor, menggunakan standard version dari acess-list ration untuk memindahkan sebuah standard access list, maka digunakan perintah berikut :
access-list access-list-number {deny permit} source [source-wildcard] [log] no access-list access-list-number






Extended ACL

Extended ACL bisa mengevaluasi banyak field lain pada header layer 3 dan layer 4 pada paket IP. ACL ini bisa mengevaluasi IP sumber dan tujuan, field protocol dalam network header Network Layer dan nomor port pada Transport Layer. Ini memberikan extended ACL kemampuan untuk membuat keputusan – keputusan lebih spesifik ketika mengontrol lalu lintas.
Pada contoh Standard ACL, perhatikan bagaimana kita harus memblok semua akses dari LAN Sales ke Department Finance. Bagaimana jika untuk urusan keamanan, kita membutuhkan Sales mendapatkan akses ke server tertentu pada LAN Finance tapi tidak ke layanan network lainnya ? Dengan standard IP ACl, kita tidak memperbolehkan user mendapat satu layanan sementara tidak untuk yang lainnya. Dengan kata lain, ketika kita membutuhkan membuat keputusan berdasarkan alamat sumber dan tujuan, standard ACL tidak memperbolehkan kita melakukannya karena ACL ini hanya mambuta kaputusan berdasrkan alamat sumber. Tetapi extended ACl akan membantu kita karena extended ACL memperbolehkan kita menentukan alamat sumber dan tujuan serta protocol dan nomor port yang mengidentfikasikan protocol upper layer atau aplikasi. Dengan menggunakan extended ACL kita bisa secara efisien memperbolehkan user mengakses ke fisik LAN dan menghentikan host tertentu atau bahkan layanan tertentu pada host tertentu.

Contoh Extended Access List
Layanan lain pada host ini dan host lainnya bisa diakses oleh departertmen seles dan marketing. Berikut adalah access list yang dibuat:
Lab_A#config t
Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 21
Lab_A(config)#access-list 110 deny tcp any host 172.16.30.5 eq 23
Lab_A(config)#access-list 110 permit ip any any
Access list 110 memberitahukan ke router bahwa anda membuat Extended IP Access List. TCP adalah field procol pada heather layer network. Jika pada list tidak terdapat TCP disini, anda tidak bisa menyaring berdasarkan nomor port 21 dan 23 seperti yang diperlihatkan pada contoh (yaitu FTP dan Telnet dan keduanya menggunakan TCP untuk layanan conection - oriented). Perintah any disini adalah sumber, yang berarti semua alamat IP dan host adalah alamat IP tujuan. Setelah list dibuat, maka selanjutnya perlu diterapkan pada outbound interface ethernet 1.

• Hukum Access List
• Daftar aplikasi router secara berurutan menunjukan apa yang ditulis ke daalm router.
• Daftar aplikasi router untuk paket yang berurutan.
• Packet akan diproses jika cocok dan berdasarkan criteria access list termasuk pernyataan access list.
• Implicit deny any
  
• Semua paket yang tidak memenuhi syarat dari acces list akan di blok oleh perintah permit any yang digunakan pada akhir list.
• Hanya satu list, per protocol, per perintah yang dapat diaplikasikan pada interface.
• Kita tidak dapat memindahkan satu baris dari access list.
• Access list akan efektif segera setelah diaplikasikan.
  

Deskripsi Syntax

Beberapa bentuk fungsi access Lists dengan cisco router, meliputi

• Implementasi keamanan prosedur access
• Seperti [ada protocol firewall

PPP with CHAP Authentication
PPP (Point-to-Point Protocol)
PPP (Point-to-Point Protocol) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet server provider may provide you with a PPP connection so that the provider's server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the Internet protocol (IP) (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet.
PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation.
PPP is usually preferred over the earlier de facto standard Serial Line Internet Protocol (SLIP) because it can handle synchronous as well as asynchronous communication. PPP can share a line with other users and it has error detection that SLIP lacks. Where a choice is possible, PPP is preferred.
CHAP (Challenge-Handshake Authentication Protocol)

CHAP (Challenge-Handshake Authentication Protocol) is a more secure procedure for connecting to a system than the Password Authentication Procedure (PAP). Here's how CHAP works:
After the link is made, the server sends a challenge message to the connection requestor. The requestor responds with a value obtained by using a one-way hash function.
The server checks the response by comparing it its own calculation of the expected hash value.
If the values match, the authentication is acknowledged; otherwise the connection is usually terminated.
At any time, the server can request the connected party to send a new challenge message. Because CHAP identifiers are changed frequently and because authentication can be requested by the server at any time, CHAP provides more security than PAP. RFC1334 defines both CHAP and PAP.
Configuring PPP w/CHAP on a Cisco Router
The interface command to enable ppp is:
encapsulation ppp
Place this on both ends and that is it. However, to enable authentication, we need to add the interface command
ppp authentication chap
to both routers, the routers will now require authentication over the link. They will attempt to log in with their HOSTNAME as their USERNAME and their ENABLE password as their chap PASSWORD. We must create an entry in the router that matches the remote routers username and password (global config):
username Other_Router password Other_enable_pass
That is all their is to basic PPP.
Our Samples:
(R1)s0----------s0(R2)
PPP Without CHAP
Router 1:
hostname R1
interface serial 0
encapsulation PPP
no shutdown
Router 2:
hostname R2
interface serial 0
encapsulation PPP
no shutdown
PPP With CHAP default names and password
Router 1:
hostname R1
enable secret toast1
username R2 password cool2
interface serial 0
encapsulation PPP
ppp authentication chap
no shutdown
Router 2:
hostname R2
enable secret cool2
username R1 password toast1
interface serial 0
encapsulation PPP
ppp authentication chap
no shutdown
Copyright (c) 2001 Boson Software, Inc. All Rights Reserv

IP addressing is very easy to configure on a Cisco router. Although the calculation of IP addresses, subnet masks and host can be rather difficult.
The syntax to place an IP address on the interface is:
ip address ip-address mask
Given the routers below, we wish to configure IP addresses on Router1 and Router2





Remember the the /24 means 255.255.255.0. For your convenience here is a handy table:
Slash Dotted Decimal Slash Dotted Decimal Slash Dotted Decimal

/8 255.0.0.0 /16 255.255.0.0 /24 255.255.255.0

/9 255.128.0.0 /17 255.255.128.0 /25 255.255.255.128

/10 255.192.0.0 /18 255.255.192.0 /26 255.255.255.192

/11 255.224.0.0 /19 255.255.224.0 /27 255.255.255.224

/12 255.240.0.0 /20 255.255.240.0 /28 255.255.255.240

/13 255.248.0.0 /21 255.255.248.0 /29 255.255.255.248

/14 255.252.0.0 /22 255.255.252.0 /30 255.255.255.252

/15 255.254.0.0 /23 255.255.254.0 /31 255.255.255.254
Let's start configuring Router 1


Router>

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#ip address 10.1.1.1 255.255.255.0

Router(config-if)#int s0

Router(config-if)#ip address 10.1.2.2 255.255.255.0

Router(config-if)#end%SYS-5-CONFIG_I: Configured from console by console

Router#



We can view the IP addresses on the interface:
Router#sh ip interface brief

Interface IP-Address OK? Method Status Protocol

BRI0 unassigned YES manual admin down down

Ethernet0 10.1.1.1 YES manual admin down down

Ethernet0 10.1.2.2 YES manual admin down down


Router#




We have assigned an IP address to each interface but the interface is still administratively down because we have not executed a 'no shutdown' command on each interface.
Now you should go to each of the interfaces and type no shutdown, this should turn the interfaces to up.
Connect to Router 2 We would also like to add ip addresses to the interfaces.
Router>

Router>en

Router#conf tEnter configuration commands, one per line. End with CNTL/Z.

Router(config)#int e0

Router(config-if)#ip address 10.1.1.2 255.255.255.0

Router(config-if)#int s0

Router(config-if)#ip address 10.1.2.2 255.255.255.0

Router(config-if)#exit%SYS-5-CONFIG_I: Configured from console by console

Router(config)#exit

Router#exit




PING
PING, the Packet Inter Net Groper, allows a user to test basic connectivity. The syntax is:
ping ip-address
The router will send out five echo requests to the destination IP address, if it receives a reply, it will not it with an '!', if not reply is received it will note it with a '.'.
A successful ping:
Router#ping 10.1.1.1
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 32/37/44 ms
Router#
A failed ping:
Router#ping 2.2.2.2
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:.....

Success rate is 0 percent (0/5)
Router#
Ping is one of the most commonly used test tools in the word. PING uses the Internet Control Message Protocol (ICMP) to communicate with other routers.
You can also view your ip addresses using the command show running-config or show ip interface.


Copyright (c) 2001 Boson Software, Inc. All Rights Reserved

Examining the Interfaces

Routers can have many types of interfaces, such as token ring, FDDI, ethernet, serial, ISDN etc. We often want to view the status and settings. There are a few important commands we must know.

show interfaces is on of the more important commands.
Router#show interfaces
Ethernet0 is administratively down, line protocol is down
Hardware is Lance, address is 0060.5cc4.f445 (bia 0060.5cc4.f445)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255Encapsulation ARPA, loopback not set, keepalive set (10 sec)
[ OUTPUT OMMITTED]
This command will produce output about each interface. In this case we see that Ethernet 0 is administratively down. That means that it is turned off with the shutdown command. The different status that can occur:

Ethernet 0 is Line protocol is Meaning administratively down down The interface is turned off with the shutdown command up down Cable is connected but keep alives are not being received. down down Cabling problem or no clock rate set on DCE. Or other router interface is shutdown. up up connected and receiving keep alives. This is what we want!!!


You can view particular intefaces with the command: show interface serial 0. Or any other interface. A handy command is show ip interface brief.
Router#show ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet0 unassigned YES not set administratively down down
PCbus0 unassigned YES not set administratively down down
Serial0 unassigned YES not set up down
Router#


This allows you to rapidly see the status of all the interfaces.
Examining the Controllers
Controllers are the part of the interface that makes the physical connection. The most important to us is to find our what kind of cable is attached to a serial interface.
A DTE (data terminating equipment) cable is the normal cable you should use. Being DTE means you expect the other end to providing clocking.
A DCE data circuit-terminating equipment) means that this deving must provide the clocking on the wire.


The show controllers command will allow you to see if you are DCE or DTE.
Router#show controllers serial 0
HD unit 0, idb = 0xA2B58, driver structure at 0xA7020buffer size 1524 HD unit 0, V.35 DCE cablecpb = 0x42, eda = 0x2140, cda = 0x2000
Configuring the Interfaces
If an interface is administratively down. You must enter configuration mode, the enter interface configuration mode, and then issue the command no shutdown.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface ethernet 0
Router(config-if)#no shutdown
Router(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0, changed state to up%LINK-3-UPDOWN: Interface Ethernet0, changed state to up
Router(config-if)#endRouter#
If your interface is the DCE, you must provide clocking using the clock rate command.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0
Router(config-if)#clock rate 56000Router(config-if)#end
Router#


It is often useful to put a description of what the interface is used for using the description command.
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0
Router(config-if)#description My Connection to the Engineering Hub
Router(config-if)#end
Router#
You can view your changes using show running-config or show interfaces or show controllers

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

Running Configuration
The currently active configuration script running on the router is referred to as the 'running-config' on the routers command-line interface. Note the privilege mode required. The running configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The running configuration must be manually saved with the 'copy' command (discussed in a later lab).

Router>
Router>enable
Router#show running-configBuilding configuration...
Current configuration:
!version 12.0!hostname Router
!interface Serial0
no ip address
shutdown
!interface BRI0
no ip address
shutdown
!interface Ethernet0
no ip address
shutdown
!line con 0
line aux 0
line vty 0 4
!end
Router#


If you decide you would like to start configuring a router from scratch you will need to reload the router making sure you have deleted your startup-config file that is stored in NVRAM. To do this you will need to first erase the configuration file you have in NVRAM using the command erase startup-config. Next you will need to reload the router and do not save the configurations when asked.

left#erase startup-
left#erase startup-config
Erasing the nvram filesystem will remove all files! Continue? [confirm][OK]Erase of nvram: complete
left#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

CDP allows devices to share basic configuration information without even configuring any protocol specific information. CDP is enabled by default on all interfaces.
CDP is a Datalink Protocol occuring at Layer 2 of the OSI model. This is important to understand because CDP is not routable. It can only traverse to directly connected devices.
CDP allows you to view information such Operating System Version, Protocol Information, and much more. This can be very handy for troubleshooting a variety of problems.
CDP ConfigurationBy default it is enabled on the router and all interfaces. The commands are simple:

Global Configuration Commands:
no cdp run turn off CDP for the entire router cdp run (default) turn it on for the entire router cdp timer 120 would change CDP to advertise every 120 seconds
Interface Configuration Commands:
cdp enable (default) turn it on for the interface no cdp enable turn it off for interface
Show Commands:
show cdp interface view interface settings,
show cdp neighbor view directly connected neighbors
show cdp neighbor detail view detailed information about neighbors show cdp general information Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

This lab will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI). You will need to logon to a router and become familiar with the different levels of access on the router. You will also become familiar with the commands available to you in each mode (user or privileged) and the router help facility, history, and editing features.
Show Version
The 'show version' command gives you a lot more information than at first you may think. Use 'show version' to obtain critical information, such as: router platform type, operating system revision, operating system last boot time and file location, amount of memory, number of interfaces, and configuration register.
Router>show version
Krang Operating System SoftwareRouter
uptime is 2 minutesSystem returned to
ROM by power-onSystem image file is "flash:c2500.bin"
[[[OUTPUT DELETED]]]
1 Ethernet/IEEE 802.3 interface(s)
1 Serial(sync/async) network interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
4096K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
Routing Protocols
To view the status of any routing protocols currently configured on the router, use the 'show protocols' command.
Router>show protocols
Global values:
Internet Protocol routing is enabled
BRI0 is administratively down, line protocol is Down
Ethernet0 is administratively down, line protocol is Down
Serial0 is administratively down, line protocol is Down


Flash Memory
Flash memory is a special kind of memory on the router that contains the operating system image file(s). Unlike regular router memory, Flash memory continues to maintain the file image even after power is lost.
Router>show flash


System flash directory:
File Length Name/status1 3015588 c2500.bin
[3015652 bytes used, 1178652 available, 4194304 total]
4096K bytes of processor board System flash (Read/Write)

Running Configuration
The currently active configuration script running on the router is referred to as the 'running-config' on the routers command-line interface. Note the privilege mode required. The running configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The running configuration must be manually saved with the 'copy' command (discussed in a later lab).
Router>
Router>enable
Router#show running-configBuilding configuration...
Current configuration:
!version 12.0
!hostname Router
!interface Serial0
no ip address
shutdown
!interface BRI0
no ip address
shutdown
!interface Ethernet0
no ip address
shutdown
!line con 0
line aux 0
line vty 0 4
!end
Router#


Command History
The routers Command Line Interface (CLI) maintains by default the last 10 commands you have entered in memory, for later retrieval. You can change this default value. You cycle through previous router commands entered (since the last power loss), using one of two methods. To view all of the past commands still in router memory at the same time, use the 'show history' command. For single line retrieval, use either the Arrow-Up (for previous command) and Arrow-Down (for next command), or Control-P (for previous command) and Control-N (for next command).
Router>show history
show version
show protocols
show flashenable
show running-configdisable
show history


Clock
The router keeps its own clock that you can use to synchronize devices to. To view the clock use the show clock command.
Krang#show clock
*00:38:35.755 UTC Mon Mar 1 1993
Krang#

Host Table
You can create a list of host name on your router. You can view the entries (if any) by typing show hosts.
Krang#show hosts
Default domain is not setName/address lookup uses static mappings
Host Flags Age Type Address(es)Krang#
Show users
The show users command displays users who are connected to the router.
Krang#show users
Line User Host(s) Idle Location
* 0 con 0 idle 00:00:00
Krang#


Show Interfaces
The show interfaces command will display statistics for all interfaces configured on the router
Krang#show interfaces
BRI0 is administratively down, line protocol is down
Hardware is BRI
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not setLast input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0 (size/max/drops); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/256 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 5 interface resets0 output buffer failures, 0 output buffers swapped out0 carrier transitions--More--



Notice the --More-- This means that there is more information pertaining to the last command. To view more commands line by line, press: enter To exit the output and return to the router prompt, press: e (this can be any letter, it's just easy to remember that e is for exit) To view more output one screen at a time, press the space bar
Show Protocols
The show protocols displays global and interface specific status of layer 3 protocols.
Krang#show protocols
Global values:
Internet Protocol routing is enabled
BRI0 is administratively down, line protocol is down
Ethernet0 is administratively down, line protocol is down
Serial0 is administratively down, line protocol is down
Serial1 is administratively down, line protocol is down
Serial2 is administratively down, line protocol is down

Copyright (c) 2001 Boson Software, Inc. All Rights Reserved.

This lab will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI). You will need to logon to a router and become familiar with the different levels of access on the router. You will also become familiar with the commands available to you in each mode (user or privileged) and the router help facility, history, and editing features.

User vs. Privileged Mode
User mode is indicated with the '>' next to the router name. You can look at settings but can not make changes from user mode. In Privilege mode (indicated by the '#', you can do anything. To get into privilege mode the keyword is ENABLE.
Router>
Router>enable
Password:
Router#
HELP
To view all commands available from this mode type: ? and press: enter This will give you the list of all available commands for the router in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it it use show ? this will output all commands that you can use with the show command.
r1#show ?
access-expression List access expressionaccess-lists List access listsbackup Backup statuscdp CDP informationclock Display the system clockcls DLC user informationcompress Show compression statisticsconfiguration Contents of Non-Volatile memory--More--
Configuration Mode
From privilege mode you can enter configuration mode by typing CONFIG T you can exit configuration mode type type
END or +z
Router#config t
Router(config)#end
Copyright (c) 2001 Boson Software, Inc. All Rights Reserved

Dokumen ini berisi komponen teknologi Multi-Protocol Label Switching (MPLS), fungsi-fungsinya dan ilustrasi nilai tambah bagi Service Provider.

MPLS pada mulanya ditargetkan untuk pelanggan Service Provider; tetapi saat ini perusahaan-perusahaan sudah mulai tertarik untuk penerapan teknologi ini. Dokumen ini dapat diterapkan untuk perusahaan besar yang memiliki jaringan seperti Service Provider pada area berikut ini :

• - Size/ukuran besarnya jaringan
• - Menawarkan “internal services” untuk department yang berbeda dalam perusahaan

MPLS komplimen dengan teknologi IP. MPLS di desain untuk membangkitkan kecerdasan yang berhubungan dengan IP Routing, dan Paradigma Switching yang berhubungan dengan Asynchronous Transfer Mode (ATM).

MPLS terdiri dari Control Plane dan Forwarding Plane. Control Plane membuat apa yang disebut “Forwarding Table”, sementara Forwarding Plane meneruskan paket ke interface tertentu (berdasarkan Forwarding Table).

Efisien desain dari MPLS adalah menggunakan Labels untuk membungkus/encapsulate paket IP. Sebuah Forwarding Table berisi list/mengurutkan Nilai-nalai Label (Label Values), yang masing-masing berhubungan dengan penentuan “outgoing interface” untuk setiap prefix network/jaringan.

Cisco IOS Software support 2 mekanisme signalling untuk distribusi Label: Label Distribution Protocol (LDP) dan Resource Reservation Protocol/Traffic Engineering (RSVP/TE).

MPLS meliputi komponen utama sebagai berikut :

1. MPLS Virtual Private Networks (VPNs) - memberikan “MPLS-enabled IP networks” untuk koneksi Layer 3 dan Layer 2. Berisi 2 komponen utama :

1. Layer 3 VPNs - menggunakan Border Gateway Protocol.
2. Layer 2 VPNs - Any Transport over MPLS (AToM)

2. MPLS Traffic Engineering (TE) - menyediakan peningkatan utilisasi dari bandwidth jaringan yang ada dan untuk “protection services”.

3. MPLS Quality of Service (QoS) - menggunakan mekanisme IP QoS existing, dan menyediakan perlakuan istimewa untuk type trafik tertentu, berdasarkan atribut QoS (seperti MPLS EXP)

MPLS VPNs

Layer 3 VPNs

Layer 3 VPNs atau BGP VPNs, teknologi MPLS yang paling banyak digunakan. Layer 3 VPNs menggunakan “Virtual Routing instances” untuk membuat sebuah pemisahan table routing untuk tiap-tiap pelanggan/subscriber, dan menggunakan BGP untuk membentuk koneksi (peering relations) dan signal VPN-berLabel dengan masing-masing router Provider Edge (PE) yang sesuai. Hasilnya sangat scalable untuk diimplementasikan, karena router core (P) tidak memiliki informasi tentang VPNs.

BGP VPNs sangat berguna ketika pelanggan menginginkan koneksi Layer 3 (IP), dan lebih menyukai untuk membuang overhead routing ke Service Provider. Hal ini menjamin bahwa keanekaragaman interface Layer 2 dapat digunakan pada tiap sisi/side VPN. Contoh, Site A menggunakan interface Ethernet, sementara Site B menggunakan interface ATM; Site A dan Site B adalah bagian dari single VPN.

Relatif sederhana untuk penerapan “multiple topologies” dengan “router filtering”, Hub & Spoke atau Full Mesh:

• Hub and Spoke - “central site” dikonfigurasi untuk “learn/mempelajari” semua “routes” dari seluruh remote sites, sementara remote sites dibatasi untuk “learn/mempelajari” routes, hanya khusus dari central site.

• Topology Full Mesh akan menciptakan semua sites mempunyai kemampuan “learn/mempelajari” atau mengimport routes dari tiap site lainnya.

Layer 3 VPNs telah dikembangkan dalam jaringan yang mempunyai router PE sebanyak 700. Saat ini terdapat Service Provider yang memiliki sampai 500 VPNs, dengan masing-masing VPN berisi site sebanyak 1000. Banyak ragam routing protocol yang digunakan pada link akses pelanggan (yaitu link CE ke PE); Static Routes, BGP, RIP dan Open Shortest Path First (OSPF). VPNs paling banyak menggunakan Static Routes, diikuti dengan Routing BGP.

Layer 3 VPNs menawarkan kemampuan lebih, seperti Inter-AS dan Carrier Supporting Carrier (CSC). Hierarchical VPNs, memungkinkan Service Provider menyediakan koneksi melewati “multiple administrative networks”. Saat ini, penerapan awal dari fungsi seperti ini sudah tersebar luas.

Layer 2 VPNs

Layer 2 VPNs mengacu pada kemampuan dan kebutuhan dari pelanggan Service Provider untuk menyediakan Layer 2 Circuits melalui “MPLS-enabled IP backbone”. Penting untuk memahami 3 komponen utama dari Layer 2 VPNs:

1. Layer 2 Transport over over MPLS - Layer 2 circuit - membawa data secara transparent - melalui MPLS enabled IP backbone (juga dikenal sebagai AToM).

2. Virtual Private Wire Services - Kemampuan untuk menambahkan signalling ke AToM, dan untuk fitur-fitur seperti auto-discovery perangkat CE.

3. Virtual Private LAN Services - Kemampuan menambahkan Virtual Switch Instances (VSIs) pada router PE untuk membentuk “LAN based services” melalui MPLS-enabled IP backbone.

Circuits Layer 2 yang dominan adalah Ethernet, ATM, Frame Relay, PPP, dan HDLC. AToM dan Layer 3 VPNs didasarkan pada konsep yang sama, tetapi AToM menggunakan sebuah “directed LDP session” untuk mendistribusikan Labels VC (analogy dengan BGP VPN Label). Oleh karena itu, router core tidak perlu mengetahui per-subscriber basis, hasinya sebuah architecture yang sangat “scalable”.

Sebelum ada AToM, Service Provider harus membangun jaringan yang berbeda untuk menyediakan koneksi Layer 2. Contoh, Service Provider harus membangun sebuah ATM dan sebuah Frame Relay Network, hasilnya peningkatan biaya operasional dan “capital expenses”. Saat ini, Layer 2 VPNs MPLS memungkinkan Service Provider untuk menggabungkan jenis jaringan yang berbeda ini, sehingga menghemat biaya operasional dan “capital expenses” secara significant.

Layer 2 VPNs dan Layer 3 VPNs dapat dikonfigurasi dalam single/satu box dan dapat difungsikan untuk meningkatkan keuntungan dari pelanggan.

Layer 2 dan Layer 3 VPNs saling melengkapi satu sama lain. Dengan berjalannya waktu, demand untuk Layer 2 VPNs bisa jadi lebih tinggi dibandingkan dengan Layer 3 VPNs.

MPLS Traffic Engineering

MPLS TE sejak awal diharapkan Service Provider sebagai teknologi yang dapat memanfaatkan bandwitdh jaringan yang tersedia secara lebih baik dengan menggunakan jalur alternatif/alternate paths (selain dari “the shortest path).
MPLS TE telah dikembangkan dengan beberapa keuntungan, termasuk Connectivity Protection menggunakan Fast ReRoute dan “Tight QoS”. “Tight QoS” dihasilkan dari penggunaan MPLS TE dan mekanisme QoS secara bersamaan.

MPLS TE menggunakan IGP, IS-IS dan OSPF untuk menyebar informasi bandwidth melalui jaringan. MPLS TE juga menggunakan RSVP Extention untuk mendistribusikan label dan “constraint-based routing” untuk menghitung jalur/paths dalam jaringan. Extention ini telah didefinisikan di rfc 3209

Service Provider yang membangun MPLS cenderung untuk menerapkan “full mesh” TE Tunnels, menciptakan logical mesh, walaupun topology physical tidak full mesh. Pada situasi seperti ini, Service Provider telah memperolah tambahan 40% - 50% ketersediaan bandiwidth di jaringan. Keuntungan ini adalah penggunaan jaringan secara optimal, yang berperan penting pada penurunan “capital expenses”.

MPLS TE menyediakan Connectivity Protection menggunakan Fast ReRoute (FRR). FRR memproteksi primary tunnels menggunakan pre-provisioned backup tunnels. Jika tunnel DOWN (failure condition), dibutuhkan waktu sekitar 50 ms untuk primary tunnel “switch over” ke backup tunnel. FRR bergantung pada proteksi Layer 3, tidak seperti proteksi SONET atau SDH yang terjadi pada level interface. Oleh karena itu, Waktu restorasi bergantung pada jumlah tunel dan jumlah prefix yang di”switch-over”. Ini adalah hal penting (key issue) yang harus dipertimbangkan ketika membuat desain FRR yang optimal.

Test internal implementasi FRR Cisco telah menghasilkan performansi lebih baik dari 50 ms; walau bagaimanapun, waktu restorasi mungkin lebih tinggi, bergantung pada konfigurasi. FRR dapat digunakan untuk proteksi Links, Nodes dan seluruh LSP Path. Sebagian besar Service Provider lebih memperhatikan local failures, dan banyak ditemukan bahwa link failures lebih sering terjadi daripada node failures.

DiffServ Aware Traffic Engineering mampu menjalankan TE untuk class trafik yang berbeda. Service Provider boleh memutuskan untuk mengoperasikan TE Tunnels yang memanfaatkan “sub-pool” untuk trafik Voice. Selanjutnya, Service Provider dapat menyakinkan bahwa tunnel ini menggunakan explicit path, dimana shortest path menghasilkan delay terpendek. Selain itu, terdapat TE Tunnels yang menggunakan “global pool” untuk trafik non-voice yang bukan “delay sensitive”.

Hal ini penting untuk dicatat bahwa MPLS TE adalah fungsi dari Control Plane. Ketika solusi Virtual Leased Line (VLL) didefinisikan, mekanisme QoS yang sesuai harus dikonfigurasi (seperti Queuing atau Policing) untuk memenuhi garansi bandiwidth. Service Provider sudah mulai menawarkan jasa VLL sebagai trunk voice untuk menghubungkan Central Office termasuk PBX.

MPLS Quality of Service

MPLS QoS mempengaruhi mekanisme existing dari IP QoS DiffServ, memungkinkan mereka bekerja pada jalur/path MPLS. Extension tertentu, termasuk kemampuan untuk melakukan “set” dan “match” pada bit-bit MPLS EXP telah ditambahkan; meskipun “fundamental behavior” dari mekanisme QoS tetap tidak berubah.

MPLS secara fundamental adalah teknik “tunneling”, jadi mekanisme QoS memungkinkan untuk penerapan yang flexible dengan “tunneling” QoS pelanggan melalui policies QoS dari Service Provider.

Oleh karena itu, Service Provider seharusnya menggunakan nilai EXP 6 untuk voice, dan nilai EXP 4 dan 3 untuk trafik non-voice. Menyediakan transparent services secara simultan untuk Enterprise dengan Maps QoS sebagai berikut :

• Menggunakan Prec 3 untuk voice dan Prec 2 untuk trafik non-voice
• Menggunakan Prec 5 untuk voice dan Prec 4 untuk trafic non-voice

Penawaran service QoS pada MPLS VPN telah menjadi nilai tambah bagi Service Provider, tetapi penerapan QoS bervariasi antar customer. Beberapa customer membuat hanya 2 class of services - (voice dan non-voice), sementara lainnya membuat sebanyak 5 class :

• Best Effort Data
• Interactive Data (i.e.,Telnet)
• Mission Critical Data (ERP applications; i.e., SAP, PeopleSoft)
• Video
• Voice

Kesimpulan

MPLS sedang berkembang sebagai teknologi yang dapat diterima secara luas, dibuktikan dengan lebih dari 100 customers menerapkan Cisco MPLS. Hal ini penting untuk dicatat bahwa MPLS tidak menggantikan IP. IP Control Plane adalah komponen fundamental MPLS. Kemampuan menambahkan “ATM-like Forwarding Plane” membuatnya menarik bagi Service Provider dan Enterprises.

Service Provider bisa mendapatkan keuntungan sebesar 25% dengan menerapkan MPLS VPNs, MPLS QoS dan MPLS TE, daripada sekedar menyediakan koneksi VPNs biasa.

Kesimpulan akhir adalah, keuntungan utama bagi Service Provider dan Enterprises menerapakan MPLS-enabled IP Network adalah kemampuan menyediakan koneksi Layer 3 dan Layer 2 dan “shared services” (seperti DHCP, NAT, dll) melalui “single network”, dengan tingkat optimasi dan utilisasi yang tinggi dari bandwidth yang tersedia menggunakan TE dan QoS.

1. Ip address setting
/ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="Link to Local Lan" disabled=no
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.255 interface=speedy1 comment="Link to Modem 1" disabled=no
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=speedy2 comment="Link to Modem 2" disabled=no

2. Manggle setting for NTH concept and packet mark
/ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,2,0 action=mark-connection new-connection-mark=link1 passthrough=yes comment="Mark Nth for link 1" disabled=no
add chain=prerouting in-interface=Local connection-mark=link1 action=mark-routing new-routing-mark=link1 passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,2,1 action=mark-connection new-connection-mark=link2 passthrough=yes comment="Mark Nth for link 1" disabled=no
add chain=prerouting in-interface=Local connection-mark=link2 action=mark-routing new-routing-mark=link2 passthrough=no comment="" disabled=no

3. Nat tables for Link1 and link 2
/ip firewall nat
add chain=srcnat connection-mark=link1 action=src-nat to-addresses=192.168.1.2 to-ports=0-65535 comment="Masquee Nat Link 1" disabled=no
add chain=srcnat connection-mark=link2 action=src-nat to-addresses=192.168.2.2 to-ports=0-65535 comment="Masquee Nat Link 2" disabled=no

4. Ip routing for link 1 and 2
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=link1 comment="Link To modem1" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.2 scope=255 target-scope=10 routing-mark=link2 comment="Link To modem1" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.2 scope=255 target-scope=10 comment="Default routing" disabled=no <<-- this default routing  simple configuration load balancing.