Ok, mijn configuratie is gebaseerd op deze voorbeeld configuratie en heeft naast ipv4 en 6 ook IPTV werkend. Dit zijn de (volgens mij) cruciale delen van de configuratie. Hierbij vond ik access lists cruciaal, daar ik gedeeltelijk verkeer (web en avanf m’n VMs email en ssh) naar binnen toe wil staan.
Gi0-3 zijn de poorten op het switch deel, gi4 is de losse poort die ik voor uplink gebruik. In mijn configuratie heb ik de IP adressen op de VLANs zitten en alles hard gezet. (geen DHCP/RA/…) Daar kan nog de uitdaging die ik heb (websites reageren soms traag, alsof IPv6 niet geheel correct werkt, SSH en ping no issues) in zitten.
interface GigabitEthernet0
switchport trunk allowed vlan 1,2,<internal vlans>,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet4.4
encapsulation dot1Q 4
ip dhcp client client-id ascii IPTV_RG
ip address dhcp
ip nat outside
ip virtual-reassembly in
ip igmp explicit-tracking
ip igmp unidirectional-link
!
interface GigabitEthernet4.6
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 1
pppoe-client ppp-max-payload 1492
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group Freedom-inbound-v4 in
ip access-group Freedom-outbound-v4 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ipv6 address autoconfig default
ipv6 enable
ipv6 dhcp client pd ISP_PREFIX
ipv6 verify unicast reverse-path
ipv6 traffic-filter Freedom-inbound-v6 in
ipv6 traffic-filter Freedom-outbound-v6 out
ppp authentication pap chap callin
ppp chap hostname fake@freedom.nl
ppp chap password 7 101F5B4A51
ppp pap sent-username fake@freedom.nl password 7 091D1C5A4D
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 route ::/0 Dialer1
!
! Not sure if needed
ip forward-protocol nd
!
! Set NAT for internet (NAT) and TV (NAT_TV)
no ip nat service dns-reset-ttl
ip nat inside source list ACL_NAT interface Dialer1 overload
ip nat inside source list ACL_NAT_TV interface GigabitEthernet4.4 overload
! Default route to internet
ip route 0.0.0.0 0.0.0.0 Dialer1
! Allow 10.0.0.0/8 to internet
ip access-list standard ACL_NAT
permit 10.0.0.0 0.255.255.255
! Allow TV vlan to vlan4
ip access-list standard ACL_NAT_TV
permit <TV vlan> 0.0.0.255
!
! Create dinamic access-list based on outgoing connections
! so we can allow related traffic back in
ip access-list extended Freedom-outbound-v4
permit tcp any any reflect RELATED4 timeout 300
permit udp any any reflect RELATED4 timeout 300
permit icmp any any reflect RELATED4 timeout 300
!
ipv6 access-list Freedom-outbound-v6
permit tcp any any reflect RELATED6 timeout 300
permit udp any any reflect RELATED6 timeout 300
permit icmp any any reflect RELATED6 timeout 300
!
! Allow related traffic and ICMP back in
ip access-list extended Freedom-inbound-v4
evaluate RELATED4
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any timestamp-request
permit icmp any any timestamp-reply
!
! for IPv6 permit incoming udp 546 (auto config renew)
ipv6 access-list Freedom-inbound-v6
evaluate RELATED6
permit udp any any eq 546
permit icmp any any destination-unreachable
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any parameter-problem
permit icmp any any echo-request
permit icmp any any echo-reply