thegameiam ([info]thegameiam) wrote,
@ 2008-03-17 21:27:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Current location:home, with DoL
Current mood: geeky
Current music:none, but I'm going to fix that
Entry tags:networking

In the words of Triumph, the insult comic dog
"I am a huge nerd"

gibson-1811#sh run
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption <---- yep. Because service password-encryption = password 7, which cracks like a bad plaster wall
!
hostname gibson-1811
!
ip cef table adjacency-prefix validate
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.17.0.1
ip dhcp excluded-address 172.17.1.200 172.17.1.255
!
ip dhcp pool gibsonusers
network 172.17.0.0 255.255.254.0
domain-name hsd1.dc.comcast.net
default-router 172.17.0.1
dns-server 68.87.71.226
lease 0 12
!
!
ip domain name hsd1.dc.comcast.net
ip name-server 68.87.71.226
ip ssh version 2
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
!
crypto (snipped, duh...)
!
!
!
!
class-map match-all ICMP
match protocol icmp
class-map match-any PEER2PEER
match protocol fasttrack
match protocol edonkey
match protocol gnutella
match protocol kazaa2
match protocol bittorrent
match protocol napster
class-map match-any WEB
match protocol http
match protocol secure-http
!
!
policy-map curious2 <---- I'm not going to block this stuff, but I'm curious how much there is.
class WEB
class PEER2PEER
class ICMP
class class-default
policy-map curious
class WEB
set dscp cs3
class PEER2PEER
set dscp default
class ICMP
set dscp cs1
class class-default
set dscp cs2
!
interface Tunnel6
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ipv6 address 2001:470:1F06:AE::/64 eui-64 <----- the money shot
ipv6 enable
tunnel source FastEthernet1
tunnel destination 209.51.161.14 <--- The ipv6.he.net Tunnel Broker
tunnel mode ipv6ip <-- not GRE - take notice!
!
interface FastEthernet1
ip address 74.92.149.90 255.255.255.248 secondary <--- left over from when AJ (frog) lived here - I set him up with a static IP address, and does he let me win at Civilization?? No
ip address 74.92.149.89 255.255.255.248
ip access-group protect-wan in <--- block regular crap-virus ports. Not a single complaint, ever.
ip nbar protocol-discovery <--- CPU intensive, but worth it.
ip nat outside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
service-policy input curious2 <--- here's where I get all snoopy and stuff
service-policy output curious
!
interface FastEthernet2 <---- I snipped all the other identical ports
switchport access vlan 69
!
interface FastEthernet8
switchport access vlan 666 <--- yes, this is a bad, bad vlan. No one should ever use it.
!
interface FastEthernet9
switchport access vlan 666 <--- it's still bad.
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
no ip address
ip tcp adjust-mss 1452
shutdown <---- and you thought I'd get suckered into using VLAN1, which is home to CDP and all the other default cisco crap...
!
interface Vlan69 <--- (Butt-Head: huh huh huh)
ip address 66.160.4.129 255.255.255.128 secondary <--- the old gibson address range from CavTel: I don't feel like renumbering the APs, and this nicely puts them on a non-routable block.
ip address 192.168.69.1 255.255.255.248 secondary <--- More of AJ's stuff
ip address 172.17.0.1 255.255.254.0
ip nbar protocol-discovery
ip nat inside
ip nat enable
ip virtual-reassembly
ipv6 address 2001:470:1F07:AE::/64 eui-64 <--- here's the IPv6 address you'll get at the Gibson
ipv6 enable
ipv6 nd prefix 2001:470:1F07:AE::/64 infinite infinite <-- There's no reason to age out the ND advertisements
ipv6 flow ingress <--- because life is better with statistics
ipv6 flow egress
!
no ip forward-protocol nd <--- Because I don't want IPv6 ND packets going across the IPv4 link.
ip route 0.0.0.0 0.0.0.0 74.92.149.94 <--- default to Comcast
!
ip nat pool gibson-over 74.92.149.89 74.92.149.89 prefix-length 29 add-route
ip nat source list 1 interface FastEthernet1 overload
ip nat inside source static 192.168.69.2 74.92.149.90 <--- and here's the static NAT
!
ip access-list extended protect-wan
permit udp host 74.92.149.91 any eq snmp <--- allow my own MRTG
deny udp any any eq snmp
deny udp any any eq netbios-dgm
deny udp any any eq netbios-ns
deny udp any any eq netbios-ss
deny udp any any eq 445
deny tcp any any eq 137
deny tcp any any eq 138
deny tcp any any eq 445
permit ip any any
!
access-list 1 permit 172.17.0.0 0.0.1.255
no cdp run
!
!
ipv6 route ::/0 Tunnel6 <--- Here's where you get the IPv6 connectivity
gibson-1811#


(Post a new comment)

Giggling
[info]za_beth
2008-03-18 01:52 am UTC (link)
Yes I was entertained by this.... No I'm not particularly proud of that. ;) Brilliant tho. :)
B

(Reply to this) (Thread)
Re: Giggling
[info]thegameiam
2008-03-18 01:54 am UTC (link)
:)

The question is: were you entertained by the configuration, or by the commentary on the configuration?

(Reply to this) (Parent)(Thread)
Re: Giggling
[info]fiberguyr1
2008-03-18 05:09 pm UTC (link)
I was entertained by both. How much does the nbar protocol-discovery crank up CPU usage?

(Reply to this) (Parent)(Thread)
Re: Giggling
[info]thegameiam
2008-03-18 05:20 pm UTC (link)
The CPU on that router hovers around 15% regularly, and it's not pushing that much traffic: maybe a meg or thereabouts. I'm not sure precisely how much of that is due to the nbar (as opposed to the other features).

My rule of thumb is this: if you're looking at a router which is anywhere near the pps or Mbps forwarding limitations, avoid nbar like the plague. If you're well under, then it's worth considering.

(Reply to this) (Parent)

Create an Account
Forgot your login or password?
Login w/ OpenID
English • Español • Deutsch • Русский…