Professional Documents
Culture Documents
IMPORTANT! BE SURE TO CAREFULLY READ AND UNDERSTAND ALL OF THE RIGHTS AND RESTRICTIONS SET
FORTH IN THIS END-USER LICENSE AGREEMENT ("EULA"). YOU ARE NOT AUTHORIZED TO USE THIS NETWORK
CONFIGURATION GUIDE/TRAINING UNLESS AND UNTIL YOU ACCEPT THE TERMS OF THIS EULA.
This EULA is a binding legal agreement between you and ROUTEHUB GROUP, LLC (hereinafter "Licensor") for the
materials accompanying this EULA, including the accompanying computer Network Configuration Guide/Training, associated media,
printed materials and any "online" or electronic documentation (hereinafter the "Network Configuration Guide/Training"). By using
the Network Configuration Guide/Training, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this
EULA, do not install or attempt to use the Network Configuration Guide/Training.
The Guide & Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual authorized to use the Guide &
Training Materials throughout the term of this License.
1. Grant of License
The Network Configuration Guide/Training is protected by copyright laws and international copyright treaties, as well as
other intellectual property laws and treaties. The Network Configuration Guide/Training is licensed, not sold. This EULA grants you
the following rights:
A. You may use, access, display and run only one copy of the Network Configuration Guide/Training, on a single
computer, workstation or terminal ("Computer"). The primary user of the Computer on which the Network Configuration
Guide/Training is installed may make a second copy for his or her exclusive use for archival purposes only.
B. You may store or install a copy of the Network Configuration Guide/Training on a storage device, such as a network
server, used only to run the Network Configuration Guide/Training on your other Computers over an internal network. You must,
however, acquire a license for each separate Computer on which the Network Configuration Guide/Training is run, displayed or
utilized from the server or similar device. A license for the Network Configuration Guide/Training may not be shared or used
concurrently on different Computers.
C. Your license rights under this EULA are non-exclusive. All rights not expressly granted herein are reserved by
Licensor.
D. You may not sell, transfer or convey the Network Configuration Guide/Training to any third party without Licensor's
prior express written consent.
If you have not previously paid the license fee for the Network Configuration Guide/Training, then you must pay the license
fee within the period indicated in the applicable invoice sent to you by Licensor.
3. Support Services
This EULA is a license of the Network Configuration Guide/Training only, and Licensor does not assume any obligation to
provide maintenance, patches or fixes to the Network Configuration Guide/Training. Licensor further disclaims any obligation to
provide support or to prepare and distribute modifications, enhancements, updates and new releases of the Network Configuration
Guide/Training.
5. Termination
You may terminate this EULA at any time by destroying all your copies of the Network Configuration Guide/Training. Your
license to the Network Configuration Guide/Training automatically terminates if you fail to comply with the terms of this agreement.
Upon termination, you are required to remove the Network Configuration Guide/Training from your computer and destroy any copies
of the Network Configuration Guide/Training in your possession. No refund with the product will be granted.
6. Copyright
A. All title and copyrights in and to the Network Configuration Guide/Training (including but not limited to any images,
photographs, animations, video, audio, music and text incorporated into the Network Configuration Guide/Training), the
accompanying printed materials, and any copies of the Network Configuration Guide/Training, are owned by Licensor or its
suppliers. This EULA grants you no rights to use such content. If this Network Configuration Guide/Training contains documentation
that is provided only in electronic form, you may print one copy of such electronic documentation. Except for any copies of this
EULA, you may not copy the printed materials accompanying the Network Configuration Guide/Training.
B. You may not reverse engineer, de-compile, disassemble, alter, duplicate, modify, rent, lease, loan, sublicense, make
copies of, create derivative works from, distribute or provide others with the Network Configuration Guide/Training in whole or part,
transmit or communicate the application over a network.
7. Export Restrictions
You may not export, ship, transmit or re-export Network Configuration Guide/Training in violation of any applicable law or
regulation including but not limited to Export Administration Regulations issued by the U. S. Department of Commerce.
8. Disclaimer of Warranties
LICENSOR AND ITS SUPPLIERS PROVIDE THE NETWORK CONFIGURATION GUIDE/TRAINING "AS IS" AND WITH
ALL FAULTS, AND HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, EITHER EXPRESS, IMPLIED OR
STATUTORY, INCLUDING BUT NOT LIMITED TO ANY (IF ANY) IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF LACK OF VIRUSES, AND OF LACK OF NEGLIGENCE
OR LACK OF WORKMANLIKE EFFORT. ALSO, THERE IS NO WARRANTY OR CONDITION OF TITLE, OF QUIET
ENJOYMENT, OR OF NONINFRINGEMENT. THE ENTIRE RISK ARISING OUT OF THE USE OR PERFORMANCE OF THE
NETWORK CONFIGURATION GUIDE/TRAINING IS WITH YOU.
9. Limitation of Damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR OR ITS SUPPLIERS
BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, DIRECT, INDIRECT, SPECIAL, PUNITIVE OR OTHER DAMAGES
WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE NETWORK
CONFIGURATION GUIDE/TRAINING AND WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR
OTHERWISE, EVEN IF LICENSOR OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS
EXCLUSION OF DAMAGES WILL BE EFFECTIVE EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE.
10. Arbitration
Any dispute arising under this EULA will be subject to binding arbitration by a single Arbitrator with the American Arbitration
Association (AAA), in accordance with its relevant industry rules, if any. The parties agree that this EULA will be governed by and
construed and interpreted in accordance with the laws of the State of California. The arbitration will be held in California. The
Arbitrator will have the authority to grant injunctive relief and specific performance to enforce the terms of this EULA. Judgment on
any award rendered by the Arbitrator may be entered in any Court of competent jurisdiction.
11. Severability
12. No Waiver
No waiver of any right under this EULA will be deemed effective unless contained in writing signed by a duly authorized
representative of the party against whom the waiver is to be asserted, and no waiver of any past or present right arising from any
breach or failure to perform will be deemed to be a waiver of any future rights arising out of this EULA.
This EULA constitutes the entire agreement between the parties with respect to its subject matter, and supersedes all prior
agreements, proposals, negotiations, representations or communications relating to the subject matter. Both parties acknowledge
that they have not been induced to enter into this EULA by any representations or promises not specifically stated herein.
IP ROUTING...................................................................................................................................................................8
LAN SWITCHING ..........................................................................................................................................................43
MULTICAST .................................................................................................................................................................71
QUALITY OF SERVICE (QOS)............................................................................................................................................85
IPV6 ..........................................................................................................................................................................96
FIRST HOP REDUNDANCY PROTOCOLS (FHRP) .................................................................................................................106
NETWORK MANAGEMENT ............................................................................................................................................112
GENERAL AND IP SERVICES ...........................................................................................................................................121
L3VPN ....................................................................................................................................................................183
L2VPN ....................................................................................................................................................................205
GENERAL ..................................................................................................................................................................293
CISCO ASA 5500 / PIX500 / FWSM ...........................................................................................................................294
CISCO PIX 500 SERIES.................................................................................................................................................323
CISCO CATALYST 6500 SERIES.......................................................................................................................................330
CISCO CATALYST 4500 SERIES.......................................................................................................................................343
CISCO ACE SERIES ......................................................................................................................................................348
CISCO NEXUS SERIES (NX-OS) ......................................................................................................................................351
BASE CONFIGURATION.................................................................................................................................................404
TEMPLATES ...............................................................................................................................................................411
SOLUTIONS & SCENARIOS.............................................................................................................................................414
MICROSOFT ...............................................................................................................................................................421
IP ROUTING...................................................................................................................................................................8
LAN SWITCHING ..........................................................................................................................................................43
MULTICAST .................................................................................................................................................................71
QUALITY OF SERVICE (QOS)............................................................................................................................................85
IPV6 ..........................................................................................................................................................................96
FIRST HOP REDUNDANCY PROTOCOLS (FHRP) .................................................................................................................106
NETWORK MANAGEMENT ............................................................................................................................................112
IP NETWORK SERVICES ................................................................................................................................................121
IP ROUTING...................................................................................................................................................................8
OSPF .......................................................................................................................................................................9
EIGRP ...................................................................................................................................................................17
BGP ......................................................................................................................................................................21
Route Tagging......................................................................................................................................................38
Static ....................................................................................................................................................................42
OSPF .......................................................................................................................................................................9
OSPF Routing ....................................................................................................................................................................... 9
Router ID............................................................................................................................................................................ 10
Default Routing .................................................................................................................................................................. 10
OSPF Network: Point-to-Point ........................................................................................................................................... 10
Passive Interface ................................................................................................................................................................ 10
MD5 Authentication .......................................................................................................................................................... 10
DR and BDR Selection ........................................................................................................................................................ 11
SFP and LSA Timers ............................................................................................................................................................ 12
Neighbor Timers ................................................................................................................................................................ 12
Changing Admin Distance .................................................................................................................................................. 12
Maximum Paths Per Route ................................................................................................................................................ 12
Auto Cost Reference .......................................................................................................................................................... 13
Reduce OSPF Flooding ....................................................................................................................................................... 13
OSPF Cost........................................................................................................................................................................... 13
Internal Route Summerization........................................................................................................................................... 14
External Route Summerization .......................................................................................................................................... 14
Virtual Link ......................................................................................................................................................................... 15
Route Redistribution.......................................................................................................................................................... 15
OSPF Stub: Totally Stub ..................................................................................................................................................... 16
Monitor.............................................................................................................................................................................. 16
Area 0
OSPF ROUTING
>>R1<<
! Enables OSPF routing process using PID of “1”
router ospf 1
! specify router ID IP address to use
router-id 1.1.1.1
log-adjacency-changes
! specify what routes to advertise and build neighbors with other OSPF routers.
network 192.168.10.0 0.0.0.255 area 10
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
network 1.1.1.1 0.0.0.0 area 10
>>R1<<
router ospf 1
! specifies the IP address to use for the OSPF neighbor ID.
router-id 1.1.1.1
DEFAULT ROUTING
>>R1<<
router ospf 1
! configure R1 to advertise an OSPF default route to all OSPF neighbors
default-information originate always
>>R1<<
interface FastEthernet0/1
! enables OSPF network type to be point-to-point
ip ospf network point-to-point
PASSIVE INTERFACE
>>R1<<
router ospf 1
! disables OSPF routing for all interfaces on R1 except for FE0/1 and FE0/2
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet0/2
MD5 AUTHENTICATION
>>R1<<
interface FastEthernet0/1
! enables MD5 authentication with other OSPF routers
ip ospf authentication message-digest
! specify MD5 password
ip ospf message-digest-key 1 md5 cisco123
router ospf 1
area 10 authentication message-digest
Never a DR or BDR
R4
.4
.2 .1 R1
R2
192.168.2.0 /24 .3 192.168.1.0 /24
R3
192.168.3.0 /24
>> R1 <<
interface fastethernet0/1
! OSPF router will be the DR on the network (higher priority)
ip ospf priority 10
>> R2 <<
interface fastethernet0/1
! OSPF router will be the BDR on the network (next largest priority)
ip ospf priority 5
>> R3 <<
interface fastethernet0/1
! OSPF router will be the BDR on the network (next largest priority)
ip ospf priority 2
>> R4 <<
interface fastethernet0/1
! never participate in DR/BDR election
ip ospf priority 0
>>R1<<
router ospf 1
! recommended/best practice values for tuning for LSA and SPF timers
timers throttle spf 10 100 5000
timers throttle lsa all 10 100 5000
timers lsa arrival 80
NEIGHBOR TIMERS
>>R1<<
interface FastEthernet0/1
! configures sub-second timers with neighbors for fast convergence
ip ospf dead-interval minimal hello-multiplier 4
OR
interface FastEthernet0/1
! specify the interval to send OSPF hello packets
ip ospf hello-interval 2
! specify the interval to wait to declare an OSPF neighbor dead if it doesn't receive a hello
message.
ip ospf dead-interval 6
router ospf 1
! specify custom admin distance (internal & external)
distance ospf intra-area 100
distance ospf inter-area 101
distance ospf external 102
router ospf 1
! define the number of paths for a single route to be injected into the routing table
maximum-paths 2
router ospf 1
! change the bandwidth reference number to 1000
! therefore 1000/BW will give the OSPF cost for an interface
auto-cost reference-bandwidth 1000
interface fastethernet0/1
! reduce OSPF flooding
ip ospf flood-reduction
OSPF COST
INET
2.2.2.2 10 .
.2 1.2
.0 / / 24 .3 3.3.3.3
2 4 3.0
.1.
10
.1
.1
1.1.1.1
>>R1<<
! configure cost on interface to be more preferred ; no ECP
interface FastEthernet0/1
ip address 10.1.2.1 255.255.255.0
ip ospf cost 10
>>R1<<
router ospf 1
! summarizes all subnets within 10.1.x.x (Area 10) to 10.1.0.0 /16 on R1
! Advertise the cost with the summary route to provide Equal-Cost Paths to the network where
! redundant paths exist. Recommended configuration to include.
area 10 range 10.1.0.0 255.255.0.0 cost 10
R2 R1 R3
10.2.10.0 /24
10.2.20.0 /24
10.2.30.0 /24
>>R1<<
>> R3 <<
router ospf 1
! summarizes all subnets within 10.2.x.x to 10.2.0.0 /16 on R3
summary-address 10.2.0.0 255.255.0.0
>> R1 <<
router ospf 1
! specify the OSPF router whose area is not directly connected to the OSPF backbone area
area 20 virtual-link 3.3.3.3
network 192.168.10.0 0.0.0.255 area 10
network 10.1.3.0 0.0.0.255 area 20
network 1.1.1.1 0.0.0.0 area 10
>> R3 <<
router ospf 2
! specify the OSPF router whose area is directly connected to the OSPF backbone area
area 20 virtual-link 1.1.1.1
network 192.168.30.0 0.0.0.255 area 20
network 10.1.3.0 0.0.0.255 area 20
network 3.3.3.3 0.0.0.0 area 20
ROUTE REDISTRIBUTION
OSPF EIGRP
>>R1<<
! specifies the EIGRP routes that are allowed to be injected into OSPF
ip access-list standard ACL-EIGRP-ROUTES
permit 192.168.30.0 0.0.0.255
router ospf 1
network 192.168.10.0 0.0.0.255 area 10
network 1.1.1.1 0.0.0.0 area 10
network 10.1.2.0 0.0.0.255 area 0
! redistribute only EIGRP routes that are listed in the ACL into OSPF
redistribute eigrp 1 subnets route-map RM-EIGRP-ROUTES
>>R1<<
router ospf 1
network 10.1.2.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 10
network 10.1.3.0 0.0.0.255 area 31
! makes Area 10 on R1 a Totally Stub Area to only send a OSPF Default Route
area 31 stub no-summary
>>R3<<
router ospf 3
network 192.168.30.0 0.0.0.255 area 31
network 10.1.3.0 0.0.0.255 area 31
! makes Area 10 on R3 a Totally Stub Area only receiving an OSPF Default Route
area 31 stub no-summary
BACK TO OSPF
MONITOR
show ip ospf
show ip route ospf
show ip ospf neighbor
show ip ospf interface
show ip ospf database
EIGRP ...................................................................................................................................................................17
EIGRP Routing .................................................................................................................................................................... 17
Passive Interface ................................................................................................................................................................ 17
Neighbor Timers ................................................................................................................................................................ 18
MD5 Authentication .......................................................................................................................................................... 18
Route Summerization ........................................................................................................................................................ 18
Changing Admin Distance .................................................................................................................................................. 18
Maximum Paths Per Route ................................................................................................................................................ 18
Route Control/Filtering ...................................................................................................................................................... 19
EIGRP Stub ......................................................................................................................................................................... 19
Bandwidth Utilization ........................................................................................................................................................ 19
EIGRP Bandwidth and Delay .............................................................................................................................................. 20
Route Redistribution.......................................................................................................................................................... 20
EIGRP ROUTING
>>R1<<
! Enables EIGRP routing process and specify EIGRP ASN of “1”
router eigrp 1
! specify what routes to advertise and build neighbors with other EIGRP routers.
network 192.168.10.0 0.0.255.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 1.1.1.1 0.0.0.0
! disable auto-summarization for EIGRP
no auto-summary
PASSIVE INTERFACE
>>R1<<
router eigrp 1
! disables EIGRP routing for all interfaces on R1 except for Po12 and Po13
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet0/2
>>R1<<
! configures sub-second timers with neighbors for fast convergence
interface FastEthernet0/1
ip hello-interval eigrp 1 1
ip hold-time eigrp 1 3
BACK TO EIGRP
MD5 AUTHENTICATION
>>R1<<
! configures key chain called SEIGRP using the password cisco123
key chain SEIGRP
key 1
key-string cisco123
interface FastEthernet0/1
! enable MD5 authentication and associate key-chain to interface for EIGRP
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 SEIGRP
ROUTE SUMMERIZATION
router eigrp 1
! specify custom admin distance (internal & external)
distance eigrp 90 170
router eigrp 1
! define the number of paths for a single route to be injected into the routing table
maximum-paths 2
>>R1<<
! configure ACL to include the EIGRP routes
ip access-list standard ACL-EIGRP-ROUTES
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.30.0 0.0.0.255
router eigrp 1
! associate ACL under EIGRP to only advertise the routes listed in the ACL to all neighbors
distribute-list ACL-EIGRP-ROUTES out
OR
! associate ACL under EIGRP to only advertise the routes listed in the ACL to all neighbors out
of interface FastEthernet0/1
distribute-list ACL-EIGRP-ROUTES out FastEthernet0/1
EIGRP STUB
192.168.10.0 /24
.2 .1 R1
R2
192.168.2.0 /24 .3 192.168.1.0 /24
STUB R3
192.168.3.0 /24
>> R3 <<
router eigrp 1
! enable as a Stub router in the EIGRP ASN
! Advertise all connected subnets (192.168.3.0/24)
eigrp stub connected
BANDWIDTH UTILIZATIO N
interface FastEthernet0/1
! define interface bandwidth usage (45%) for EIGRP
ip bandwidth-percent eigrp 1 45
INET
2.2.2.2 10 .
.2 1.2 24 .3 3.3.3.3
.0 / 0/
2 4 .3.
1 0.1
.1
.1
1.1.1.1
>>R1<<
! configure delay on interface to be more preferred ; no ECP
interface FastEthernet0/1
ip address 10.1.2.1 255.255.255.0
delay 10
ROUTE REDISTRIBUTION
EIGRP OSPF
>>R1<<
! specifies the OSPF routes that are allowed to be injected into EIGRP
ip access-list standard ACL-OSPF-ROUTES
permit 192.168.30 0.0.0.255
router ospf 1
network 10.1.3.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 10
router eigrp 1
network 192.168.10.0 0.0.0.255
network 1.1.1.1 0.0.0.0
network 10.1.2.0 0.0.0.255
! redistribute only EIGRP routes that are listed in the ACL into OSPF
redistribute ospf 1 metric 1000 1 255 1 1500 route-map RM-OSPF-ROUTES
BACK TO EIGRP
BGP ......................................................................................................................................................................21
EBGP Routing ..................................................................................................................................................................... 22
IBGP Routing ...................................................................................................................................................................... 22
BGP Route Advertisment ................................................................................................................................................... 23
Synchronization ................................................................................................................................................................. 23
MD5 Authentication .......................................................................................................................................................... 23
Timers ................................................................................................................................................................................ 23
Soft Reconfiguration .......................................................................................................................................................... 23
Route Control/Filtering (Inbound) ..................................................................................................................................... 24
Route Control/Filtering (Outbound) .................................................................................................................................. 24
Route Summerization ........................................................................................................................................................ 24
IBGP: Next Hop Self ........................................................................................................................................................... 24
EBGP: Multi-Hop ................................................................................................................................................................ 25
Changing Admin Distance .................................................................................................................................................. 25
Peer Groups ....................................................................................................................................................................... 25
Route Reflectors ................................................................................................................................................................ 26
Private ASN ........................................................................................................................................................................ 27
Maximum Paths Per Route ................................................................................................................................................ 27
Removing Private ASN ....................................................................................................................................................... 28
BGP Attribute: Local Preference ........................................................................................................................................ 29
BGP Attribute: MED ........................................................................................................................................................... 30
BGP Attribute: AS PATH (Prepending, Padding) ................................................................................................................ 31
Conditional Advertisment .................................................................................................................................................. 32
BGP Communities .............................................................................................................................................................. 34
BGP using Foundry FastIron L3 Switches ........................................................................................................................... 36
Monitor.............................................................................................................................................................................. 37
EBGP ROUTING
>>R1<<
! enables BGP routing process in ASN 6778
router bgp 6778
bgp router-id 1.1.1.1
bgp log-neighbor-changes
! configures EBGP peer and the ASN for the peer which is in a different ASN (ASN 1)
neighbor 10.1.3.3 remote-as 1
neighbor 10.1.3.3 description EBGP TO ISP
neighbor 10.1.3.3 version 4
>>ISP1 ; R3<<
! enables BGP routing process into ASN 1
router bgp 1
bgp router-id 3.3.3.3
bgp log-neighbor-changes
! configures EBGP peer and the ASN for the peer which is in a different ASN (ASN 6778)
neighbor 10.1.3.1 remote-as 6778
neighbor 10.1.3.1 description EBGP TO CPE
neighbor 10.1.3.1 version 4
BACK TO BGP
IBGP ROUTING
>>R1<<
router bgp 6778
! configures IBGP peer and the ASN for the peer which is in the same ASN (ASN 6778)
neighbor 2.2.2.2 remote-as 6778
neighbor 2.2.2.2 description IBGP TO R2
! IBGP peering will use the Loopback0 interface
neighbor 2.2.2.2 update-source Loopback0
! configures IBGP peer to use the next hop IP of R1 for routes learned from an EBGP
neighbor 2.2.2.2 next-hop-self
>>R1<<
router bgp 6778
! specify what networks will be advertised from R1 to other BGP routers
network 10.1.0.0 mask 255.255.255.0
network 10.2.0.0 mask 255.255.255.0
! The exact network must exist in the routing table. A network of 10.1.1.0 /24 will
! not match what is configured under BGP therefore NULL static routes should be
! configured so the BGP routes can be advertised.
ip route 10.1.0.0 255.255.0.0 Null0 253
ip route 10.2.0.0 255.255.0.0 Null0 253
SYNCHRONIZATION
>>R1<<
router bgp 6778
address-family ipv4
! disables synchronization but routes need an exact routing entry for what will be advertised
no synchronization
MD5 AUTHENTICATION
>>R1<<
router bgp 6778
! enables MD5 authentication with the configured BGP peer
neighbor 10.1.3.3 password cisco123
neighbor 2.2.2.2 password cisco123
TIMERS
! tune BGP timers to 15 sec for keepalives and 45 sec for holdtime for fast convergence
>>R1<<
router bgp 6778
timers bgp 15 45
SOFT RECONFIGURATION
>>R1<<
router bgp 6778
address-family ipv4
! soft reconfiguration configured on all BGP peers
neighbor 10.1.3.3 soft-reconfiguration inbound
neighbor 2.2.2.2 soft-reconfiguration inbound
>>R1<<
! configure prefix list to include routes that should be received from the ISP
ip prefix-list ISP-ROUTES seq 10 permit 192.168.30.0/24
ip prefix-list ISP-ROUTES seq 11 permit 0.0.0.0/0
>>R1<<
! configure prefix list to include routes that should be advertised to the EBGP peer (ISP)
ip prefix-list CL-ROUTES seq 10 permit 10.1.0.0/16
ip prefix-list CL-ROUTES seq 11 permit 10.2.0.0/16
ROUTE SUMMERIZATION
>>R1<<
router bgp 6778
address-family ipv4
! summarizes all 10.x.x.x BGP routes as a single route, 10.0.0.0/8 to all eBGP peers
aggregate-address 10.0.0.0 255.0.0.0 summary-only
>>R1<<
router bgp 6778
! configures IBGP peer to use the next hop IP of R1 for routes learned from an EBGP
neighbor 2.2.2.2 next-hop-self
BACK TO BGP
ASN 6778
ISP1
10.1.3.1
1.1.1.1
192.168.10.0 /24 ASN 100
192.168.11.0 /24
192.168.12.0 /24
PEER GROUPS
interface Loopback0
ip address 1.1.1.1 255.255.255.255
CLIENT1 CLIENT2
RR
Lo: 1.1.1.1
Route Reflector
>> RR <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
1.1.1.1 2.2.2.2
>> R1 <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255
R2 R3 R4
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255
>> R3 <<
interface Loopback0
ip address 3.3.3.3 255.255.255.255
>> R4 <<
interface Loopback0
ip address 4.4.4.4 255.255.255.255
ASN 1 ASN 2
INET
1.1.1.1 1.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
>>R1<<
! route-Map specifying a local preference value of 100 (more preferred)
route-map RM-BGP-PRI-IN permit 10
set local-preference 100
>>R2<<
! route-Map specifying a local preference value of 10 (less preferred)
route-map RM-BGP-SEC-IN permit 10
set local-preference 10
ASN 1
INET
Pri Sec
10.1.1.1 10.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
>>R1<<
! route-Map specifying a MED value of 10 (more preferred)
route-map RM-BGP-PRI-OUT permit 10
set metric 10
>>R2<<
! route-Map specifying a MED value of 100 (less preferred)
route-map RM-BGP-SEC-OUT permit 10
set metric 100
ASN 1 ASN 2
INET
Pri Sec
10.1.1.1 10.2.1.1
1.1.1.1 2.2.2.2
.1 .2
192.168.10.0 /24
ASN 6778
>>R1<<
router bgp 6778
address-family ipv4
neighbor 10.1.1.2 remote-as 1
neighbor 2.2.2.2 remote-as 6778
network 192.168.10.0
! route-map associated with EBGP peer for all routes advertised to the ISP. This is
! the primary path for devices on the Internet to access ASN 6778
neighbor 10.1.1.2 route-map RM-BGP-PRI-OUT out
>>R2<<
! route-map specifying a longer path to our ASN through R2 (less preferred)
route-map RM-BGP-PRI-OUT permit 10
set as-path prepend 6778 6778 6778 6778 6778
ASN 200
ISP1
1.1.1.1
1.1.1.1
192.168.10.0 /24 ASN 100
192.168.11.0 /24
192.168.12.0 /24
R1 R2
routes received:
192.168.12.0 /24
>> R1 <<
interface Loopback0
ip address 1.1.1.1 255.255.255.255
! tell BGP router (R2) to not advertise subnet 192.168.10.0 to ANY other BGP peers
route-map RHG-RM-BGP-COM permit 10
match ip address RHG-ACL-NET-10
set community no-advertise
! tell BGP router (R2) to not advertise subnet 192.168.11.0 to other EBGP peers
route-map RHG-RM-BGP-COM permit 11
match ip address RHG-ACL-NET-11
set community no-export
! tell BGP router (R2) to advertise subnet 192.168.12.0 to ANY BGP peer
route-map RHG-RM-BGP-COM permit 12
match ip address RHG-ACL-NET-12
set community internet
>> R2 <<
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ISP1 ISP2
1.1.1.2 2.2.2.2
12/23 12/19
VLAN91 VLAN92
1.1.1.1 2.2.2.1
Core
VLAN10
192.168.10.1
ASN 6778
! create VLAN 91
vlan 91 name ISP1
! associate interface to VLAN
untagged ethe 12/23
! associate L3 VLAN interface 91
router-interface ve 91
! create VLAN 92
vlan 92 name ISP2
! associate interface to VLAN
untagged ethe 12/19
! associate L3 VLAN interface 92
router-interface ve 92
MONITOR
Tag 10
EIGRP 1
192.168.10.0 /24
10.1.1.0 /24
R1
.1
EIGRP 1
192.168.11.0 /24
10.1.1.0 /24 R11 OSPF
.11
Tag 11 192.168.30.0 /24
Routes Accepted:
.3 R3 192.168.10.0 /24
192.168.20.0 /24
10.1.1.0 /24
RIP
.2
192.168.20.0 /24
10.1.1.0 /24 R2
Tag 20
.22
RIP
192.168.22.0 /24
10.1.1.0 /24 R22
Tag 22
>> R1 <<
! specify a route tag of 10
route-map EIGRP-TAG permit 10
set tag 10
router eigrp 1
network 192.168.10.0
network 10.0.0.0
no auto-summary
! all EIGRP routes advertised from R1 will use tag 10
distribute-list route-map EIGRP-TAG out
router eigrp 1
network 192.168.11.0
network 10.0.0.0
no auto-summary
! all EIGRP routes advertised from R11 will use tag 11
distribute-list route-map EIGRP-TAG out
router rip
version 2
network 192.168.20.0
network 10.0.0.0
no auto-summary
! all RIP routes advertised from R22 will use tag 20
distribute-list route-map RIP-TAG out
router rip
version 2
network 192.168.22.0
network 10.0.0.0
no auto-summary
! all RIP routes advertised from R22 will use tag 22
distribute-list route-map RIP-TAG out
>> R3 <<
router eigrp 1
network 10.0.0.0
no auto-summary
router rip
version 2
network 10.0.0.0
no auto-summary
router ospf 3
! only redistribute EIGRP routes learned from R1
redistribute eigrp 1 metric 10 subnets tag 10
! only redistribute RIP routes learned from R2
redistribute rip metric 10 subnets tag 20
network 192.168.30.0 0.0.0.255 area 0
EIGRP 1
192.168.10.0 /24
10.1.1.0 /24
R1
.1
EIGRP 1
192.168.11.0 /24
10.1.1.0 /24 R11
.11
OSPF
.3 192.168.30.0 /24
R3
10.1.1.0 /24
RIP Route Tag & Accepted
.2
192.168.20.0 /24 Tag 10: 192.168.10.0 /24
10.1.1.0 /24 R2 Tag 11: 192.168.11.0 /24
Tag 20: 192.168.20.0 /24
Tag 22: 192.168.22.0 /24
.22
RIP
192.168.22.0 /24
10.1.1.0 /24 R22
>> R1 <<
interface fastethernet 0/0
ip address 10.1.1.1 255.255.255.0
router eigrp 1
network 192.168.10.0
network 10.0.0.0
no auto-summary
router eigrp 1
network 192.168.11.0
network 10.0.0.0
no auto-summary
>> R2 <<
interface fastethernet 0/0
ip address 10.1.1.2 255.255.255.0
router rip
version 2
network 192.168.20.0
network 10.0.0.0
no auto-summary
router rip
version 2
network 192.168.22.0
network 10.0.0.0
no auto-summary
>> R3 <<
! ACL listing IP for R1
access-list 1 permit 10.1.1.1
! ACL listing IP for R11
access-list 1 permit 10.1.1.11
! ACL listing IP for R2
access-list 2 permit 10.1.1.2
router eigrp 1
network 10.0.0.0
no auto-summary
router rip
version 2
network 10.0.0.0
no auto-summary
router ospf 3
! only redistribute EIGRP routes from routers listed in the defined route-map
redistribute eigrp 1 metric 10 subnets route-map ROUTES-R1
! only redistribute RIP routes from routers listed in the defined route-map
redistribute rip metric 10 subnets route-map ROUTES-R2
network 192.168.30.0 0.0.0.255 area 0
STATIC ROUTING
.1
R1
.2
R2
>> R2 <<
! to access the network 192.168.20.0 go through R1 (using IP 192.168.10.1)
ip route 192.168.20.0 255.255.255.0 192.168.10.1
VLAN
BACK
VLAN (L2)
! to view all VLANs configured (or learned via VTP) on the switch
show vlan
! makes L2 VLAN routable on the network with other networks and VLANs
interface Vlan100
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no shutdown
interface Vlan1
! disable auto state. Meaning the VLAN1 interface will automatically come up.
no autostate
PRIVATE VLANS
Vlan2000
User 2 192.168.10.1
(Consulting) Vlan 2011,2012,2021 Vlan2000
192.168.10.2
Vla Vlan 2011,2012
n 20
11
User 2
(Training) Vlan2012
Core Vlan2021
User 2
Gi0/1
(Guest)
Gi0/1
User 1 User 1
(Guest) Vlan2012 (Consulting)
User 1
(Training)
Community: hosts can communicate with other hosts in the same community including the promiscuous router port.
Isolated: hosts can only communicate with the promiscuous router port
>>ACCESS<<
! create the primary VLAN that will be used by all private VLAN hosts
vlan 2000
private-vlan primary
>>CORE<<
! assign interface to the community VLAN for group 1
interface fastethernet0/2
description Consulting Host2
switchport private-vlan host association 2000 2011
switchport mode private-vlan host
! interface that hosts in the two communities can use for communicating with each other this is
! the IP they would use for their default gateway
interface vlan2000
ip address 192.168.10.2 255.255.255.0
private-vlan mapping 2011,2012
ROOT BRIDGE
! configures the switch to use priority 8192 for VLANs 100 to 200
spanning-tree vlan 100-200 priority 8192
OR
! configures the switch to use priority 8192 for VLANs 100 and 102
spanning-tree vlan 100,102 priority 8192
LOOPGUARD
ROOTGUARD
! enables STP port path method to use 32-bit over 16-bit (the default)
spanning-tree pathcost method long
BACK TO STP
interface GigabitEthernet1/0/1
spanning-tree link-type point-to-point
MST
CS01 CS02
Primary Root (MSTI 1): Secondary Root (MSTI 1):
VLAN 10-12 VLAN 10-12
Secondary Root (MSTI 2): Primary Root (MSTI 2):
VLAN 20-22 VLAN 20-22
Primary Root (IST 0) Secondary Root (IST 0)
Gi0/1 Gi0/2
ACCESS
VTP
Recommendation: use VTP Transparent mode over Server mode to avoid L2 issues
Mode: Other VTP modes can be client (ideal for Access switches) and Server (ideal for Core or Distributions)
! specify VTP mode on the switch to be transparent where all VLANs added/removed is done locally
vtp mode transparent
802.1Q
interface GigabitEthernet0/1
! configures interface for 802.1Q trunking
switchport trunk encapsulation dot1q
! configures interface as a trunk
switchport mode trunk
DTP
interface GigabitEthernet0/1
! disables DTP and establishes interface as a Trunk interface without negotiation
switchport nonegotiate
TRUNK SECURITY
interface GigabitEthernet0/1
! only allow VLAN tags 100 to 102 to be extended. All other VLAN access will be restricted
switchport trunk allowed vlan 100-102
NATIVE VLAN
interface GigabitEthernet0/1
! configures native VLAN on interface to be VLAN999, which is a NULL VLAN added
switchport trunk native vlan 999
802.1q
vlan10 VLAN 10, 11 .1
192.168.10.10
vlan11
192.168.11.10
! L3 interface on Cisco IOS router
interface GigabitEthernet0/0
no ip address
duplex full
speed 100
! configures Port Channel hash algorithm based on Source & Destination IP plus TCP/UDP ports
port-channel load-balance src-dst-port
L3 Port Channel
10.1.2.0 /24
>>SW1<<
! configures Port Channel interface to use group 1
interface Port-Channel1
! configures IP address details
ip address 10.1.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernet0/2
no switchport
no ip address
channel-protocol lacp
channel-group 1 mode active
interface GigabitEthernet0/2
no switchport
no ip address
channel-protocol lacp
channel-group 1 mode active
L2 Port Channel
>>SW1<<
! configures Port Channel interface to use group 1
interface Port-Channel1
! L2 trunking configuration
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-11,50,200,250
switchport mode trunk
switchport nonegotiate
>>SW2<<
! configures Port Channel interface to use group 1
interface Port-Channel1
! L2 trunking configuration
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-11,50,200,250
switchport mode trunk
switchport nonegotiate
GE0/0 GE0/1
PortChannel 1
! physical interface
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
media-type rj45
! put physical interface into port channel1
channel-group 1
L2 Port Channel
>>SW1<<
interface fastethernet 0/1
! creates and associate interface to port-channel group 1
port group 1
! L2 trunking configuration
switchport trunk encapsulation dot1q
switchport mode trunk
PORT MONITOR
Server
Packet Capture
Computer
(e.g. Wireshark)
Gi0/2
Firewall
Gi0/1
Gi0/24
! specify the interface where all traffic from the interface(s) listed above will be sent to
monitor session 1 destination interface Gi0/24
RSPAN
CORE
VLAN 200
Gi0/7
Gi0/1
Sniffer 802.1Q
(VLAN 200)
Gi0/1
ACCESS
Gi0/2
VLAN 200
Server Gi0/3
Server
! make sure trunking is enabled on all switches and allowing VLAN 200
interface GigabitEhernet 0/1
description TO: CS01TRA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
>>CS01TRA<< Destination
! make sure trunking is enabled on all switches and allowing VLAN 200
interface GigabitEhernet 0/1
description TO: AS01TRA
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200
switchport mode trunk
! specify source RSPAN VLAN where traffic has been captured, so far, from
! ports 2 and 3 off of AS01TRA
monitor session 1 source remote vlan 200
! specify the switch port that our network sniffer is connected to, which will be port 7
monitor session 1 destination interface gigabitethernet0/7
BROADCAST SUPPRESSIO N
UDLD
BACK
UDLD AGGRESSIVE
>>SW1<<
! enables UDLD (aggressive mode) which must be configured the same on the other side
interface GigabitEthernet0/1
udld port aggressive
>>SW2<<
! enables UDLD (aggressive mode) which must be configured the same on the other side
interface GigabitEthernet0/1
udld port aggressive
PORT SECURITY
BACK
! enables interface for port security and restrict no more than 5 connected devices
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security maximum 5
switchport port-security aging time 20
! enables interface for port security for only a connected device with MAC address 0014.1cc1.0e00
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security aging type inactivity
! define MAC address that can connect to this switch port
switchport port-security mac-address 0014.1cc1.0e00
switchport port-security aging time 20
L2 Port Channel
Group 1
802.1q: VLAN 10-11
Gi0/1-2 1/0/1-2
Cisco Netgear
! L2 physical interface #1
interface GigabitEthernet0/1
! L2 configuration enabling 802.1q (VLAN tagging)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-11
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
! enable LACP
channel-protocol lacp
! add interface to Port channel group 1 in passive mode
channel-group 1 mode passive
! L2 physical interface #2
interface GigabitEthernet0/2
! L2 configuration enabling 802.1q (VLAN tagging)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-11
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
! enable LACP
channel-protocol lacp
! add interface to Port channel group 1 in passive mode
channel-group 1 mode passive
802.1Q
VLAN 10-11
Gi0/1 1:5
Cisco Extreme
Summit
interface GigabitEthernet0/1
! L2 configuration enabling 802.1q (VLAN tagging)
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-11
switchport mode trunk
! LAN VLAN added to port 1:5 which will be configured as a trunk interface
configure vlan RHG-LAN add ports 1:5 tagged
! GUEST VLAN added to port 1:5 which will be configured as a trunk interface
configure vlan RHG-GUEST add ports 1:5 tagged
802.1q 802.1q
Vlan10,20 Vlan10,20
802.1q SonicPoint AP
Vlan10,20
SonicWALL
PSTN
vlan20
802.1q
voice data
vlan vlan
(20) (10)
Data VLAN: 10
Voice VLAN: 20
interface GigabitEthernet5/14
description DTOP and IPPHONE PORT
! enable 802.1Q
switchport trunk encapsulation dot1q
! set native VLAN for any non-802.1Q device into the data VLAN
switchport trunk native vlan 10
! allow data and voice VLAN
switchport trunk allowed vlan 10,20
! enable Trunk mode
switchport mode trunk
! spanning tree best practice configuration
spanning-tree portfast
spanning-tree bpduguard enable
JUMBO FRAMES
BACK
DHCP SNOOPING
CORE ACCESS
Gi0/1
>>ACCESS<<
no ip dhcp snooping information option
CORE ACCESS
Gi0/1
>>ACCESS<<
! define what VLANs will be enabled for Dynamic ARP inspection
ip arp inspection vlan 10-11
CORE ACCESS
Gi0/1
interface GigabitEthernet0/1
! enable IP source guard
ip verify source
FLEXLINK
CS01 CS02
Gi0/1 Gi0/2
ACCESS
! enable IRB
bridge irb
MULTICAST .................................................................................................................................................................71
General ................................................................................................................................................................72
IGMP Snooping .................................................................................................................................................................. 72
CGMP ................................................................................................................................................................................. 72
Multicast Routing ................................................................................................................................................73
PIM Sparse Mode .............................................................................................................................................................. 73
RP Management ..................................................................................................................................................74
Static RP ............................................................................................................................................................................. 74
Auto-RP.............................................................................................................................................................................. 75
MSDP ...................................................................................................................................................................76
MSDP ................................................................................................................................................................................. 76
MSDP and MBGP (External Design) ................................................................................................................................... 77
Redundancy using MSDP and Anycast (Internal Design) ................................................................................................... 78
Other Multicast Configuration .............................................................................................................................81
SPT Threshold Infinity ........................................................................................................................................................ 81
PIM Query Interval ............................................................................................................................................................ 81
Security ................................................................................................................................................................82
Rogue Source Protection ................................................................................................................................................... 82
Rogue Source Protection for Auto-RP ............................................................................................................................... 82
IGMP Group Security (On Routers) .................................................................................................................................... 82
IGMP Filter (On Switches) .................................................................................................................................................. 83
RP Multicast Group Registration Protection ...................................................................................................................... 83
Multicast Boundary Protection .......................................................................................................................................... 83
Monitor ................................................................................................................................................................84
Monitor.............................................................................................................................................................................. 84
IGMP SNOOPING
CGMP
interface fastethernet0/1
! enabled CGMP server
ip cgmp
show cgmp
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
interface Loopback0
! IP used for the RP on the network
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet0/1
no switchport
ip address 10.1.2.1 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface Loopback0
ip address 2.2.2.2 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet0/2
no switchport
ip address 10.1.2.2 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
STATIC RP
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
interface Loopback0
! IP used for the RP on the network
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet0/1
no switchport
ip address 10.1.2.1 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface Loopback0
ip address 2.2.2.2 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet0/2
no switchport
ip address 10.1.2.2 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
10.1.2.0 /24
2.2.2.2 .2 .1 1.1.1.1
LEAF RP
interface Loopback0
! IP used for the RP on the network
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse Dense mode on L3 interfaces
ip pim sparse-dense-mode
interface GigabitEthernet0/1
no switchport
ip address 10.1.2.1 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
! configures Auto-AP and associates ACL for what multicast groups it will announce
! IP for Auto-AP will be the IP from the Loopback0 interface
ip pim send-rp-announce Loopback0 scope 16 group-list 1
ip pim send-rp-discovery Loopback0 scope 16
MSDP
172.16.2.1
172.16.1.1
INET
2.2.2.2 R2
R1 1.1.1.1
192.168.20.0 /24
192.168.10.0 /24
>> R1 <<
! enable multicast routing
ip multicast-routing
interface Loopback0
! IP used for the RP on this multicast domain
ip address 172.16.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
! specify MSDP peer using the Loopback0 interface pointing to remote multicast domain (RP)
ip msdp peer 172.16.2.1 connect-source Loopback0
ip msdp description 172.16.2.1 Connecting to remote RP router
>> R1 <<
! enable multicast routing
ip multicast-routing
interface Loopback0
! IP used for the RP on this multicast domain
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
! specify MSDP peer using the Loopback0 interface pointing to the ISP’s RP router
ip msdp peer 3.3.3.3 connect-source Loopback0
ip msdp description 3.3.3.3 ISP RP ROUTER
interface Loopback0
! IP used for MSDP peering between devices (secondary MSDP peer)
ip address 1.1.1.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface Loopback9
! Anycast IP used for the RP on the PIM Sparse mode network
ip address 1.0.0.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet1/0/1
no switchport
ip address 10.1.2.1 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
! specify MSDP peer using the Loopback0 interface pointing to CORE2 (primary MSDP peer)
ip msdp peer 2.2.2.2 connect-source Loopback0
ip msdp description 2.2.2.2 routehub-csr02
interface Loopback0
! IP used for MSDP peering between devices (primary MSDP peer)
ip address 2.2.2.2 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface Loopback9
! Anycast IP used for the RP on the PIM Sparse mode network
ip address 1.0.0.1 255.255.255.255
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet1/0/1
description CORE1
no switchport
ip address 10.1.2.2 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
interface GigabitEthernet1/0/2
description WAN-ROUTER
no switchport
ip address 10.1.3.1 255.255.255.0
! enable PIM Sparse mode on L3 interfaces
ip pim sparse-mode
! specify MSDP peer using the Loopback0 interface pointing to CORE1 (secondary MSDP peer)
ip msdp peer 1.1.1.1 connect-source Loopback0
ip msdp description 1.1.1.1 routehub-csr01
ip multicast-routing
interface loopback 0
description "network-mgmt"
ip address 3.3.3.3 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
interface GigabitEthernet3/1
description CORE2
ip address 10.1.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
! Reduces multicast state (S,G) from leaf routers by keeping traffic on the shared tree
ip pim spt-threshold infinity
INET
192.168.30.0 /24
Source
Member AS01 .1 Vlan30 SF-AS01 239.192.240.10
Vlan10 Vlan20
GE0/1 CS01 .1
.1 GE0/1
.10
! ACL listing multicast source network and the multicast groups it will announce
ip access-list extended permitted-ucast-sources
permit ip 192.168.20.0 0.0.0.255 224.0.0.0 15.255.255.255
! associates ACL 101 specifying what multicast servers are permitted for multicast registration
! to the RP router
ip pim accept-register list permitted-ucast-sources
! configure ACL to specify valid multicast groups that RP’s can advertise
access-list 11 permit 239.192.240.10
Notes: This is configured on multicast routers with connected hosts that could join a multicast group
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! associates ACL 10 under the LAN interface specifying what multicast groups members can join
ip igmp access-group 10
interface GigabitEthernet0/1
description TO: R1
! IGMP filter using ACL 1 associated to uplink/downlink on switch port
ip igmp filter 1
! specify location of the RP router and what multicast groups can register with the RP
ip pim rp-address 1.1.1.1 ROUTEHUB-ACL-MCAST override
interface Vlan30
ip address 192.168.30.1 255.255.255.0
! filter multicast traffic to not be transmitted or received beyond this interface
ip pim bsr-border
ip multicast boundary pim-local-domain
ip multicast ttl-threshold 32
BACK TO SECURITY
MONITOR
show ip mroute
show ip mroute count
show ip mroute <multicast-address> count
show ip mroute active
show ip igmp group
show ip pim neighbor
show ip pim rp
show ip pim interface vlan3
show multicast protocol status
show ip igmp interface vlan3
show igmp groupinfo <vlan> <mac-address>
show multicast router
show multicast group <mac-address>
show cam static <vlan>
show ip igmp group
show mls ip multicast group <multicast-address>
show mls multicast entry
show mls multicast statistics
GENERAL
BACK
.1 1.1.1.1
! ACL associated to QoS class map for classifying all ICMP traffic
class-map match-any RHG-CLASS-ICMP
match access-group name RHG-ACL-ICMP
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
! associate QoS policy “inbound” to the WAN facing interface
service-policy input RHG-POL
policy-map RHG-POL-POLICE
class class-default
police rate 500000
conform-action transmit
exceed-action drop
interface FastEthernet0/0
service-policy input RHG-POL-POLICE
service-policy output RHG-POL-POLICE
CAR
interface POS4/0
! rate limit all ICMP traffic to 2Mbps (with some bursting allowed)
rate-limit input access-group 101 2000000 512000 786000 conform-action transmit exceed-action
drop
OC-3 SHAPING
LLQ
! QoS policy
policy-map RHG-POLICY
! associate class-map for Voice RTP traffic
class RHG-CLASS-VOICE-RTP
! LLQ providing 33% of priority bandwidth for Voice RTP traffic
priority percent 33
! class-map for Call Signaling traffic using either DSCP AF31 or CS3
class-map match-any RHG-CLASS-VOICE-CONTROL
match ip dscp af31
match ip dscp cs3
! QoS policy
policy-map RHG-POLICY
! associate class-map for Call Signaling traffic
class RHG-CLASS-VOICE-CONTROL
! CBWFQ providing 5% of bandwidth for Call Signaling traffic
bandwidth percent 5
WRED
! QoS policy
policy-map RHG-POLICY
class class-default
! enable WRED
random-detect
WRED (DSCP-BASED)
! QoS policy
policy-map RHG-POLICY
class RHG-CLASS-DATA-GOLD
! enable DSCP-based WRED
random-detect dscp-based
BACK TO QOS
PVC 768Kbps
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
! QoS policy
policy-map RHG-POLICY
! class-map and policy action (LLQ) for Voice RTP traffic
class RHG-CLASS-VOICE-RTP
priority percent 33
! class-map and policy action (CBWFQ) for Call Signaling traffic
class RHG-CLASS-VOICE-CONTROL
bandwidth percent 5
! default class-map and policy action (CBWFQ+WRED) for all other traffic
class class-default
bandwidth percent 25
random-detect
LFI
interface Serial0/0/0
bandwidth 768
no ip address
! enable PPP encapsulation on interface
encapsulation ppp
! associate interface to the ML group 1
ppp multilink
ppp multilink group 1
! QoS policy
policy-map RHG-POLICY
! associate class-map for Voice RTP traffic
class RHG-CLASS-VOICE-RTP
! apply RTP compression (cRTP) for Voice RTP traffic
compress header ip rtp
interface Multilink1
ip address 10.1.2.1 255.255.255.0
! QoS policy applied to WAN facing interface (outbound)
service-policy output RHG-POLICY
BACK TO QOS
! class-map for Call Signaling traffic using either DSCP AF31 or CS3
class-map match-any RHG-CLASS-VOICE-CONTROL
match ip dscp af31
match ip dscp cs3
! QoS policy
policy-map RHG-POLICY
! class-map and policy action (CBWFQ) for Call Signaling traffic
class RHG-CLASS-VOICE-CONTROL
bandwidth percent 5
MONITOR
IPV6 ..........................................................................................................................................................................96
General ................................................................................................................................................................97
Base Configuration ............................................................................................................................................................ 97
Interface using Static IPv6 Address .................................................................................................................................... 97
General Prefixes................................................................................................................................................................. 97
Interface using Dynamic IPv6 Address (EUI-64) ................................................................................................................. 98
Disable Route Advertisements on Point-to-Point Links ..................................................................................................... 98
Monitor.............................................................................................................................................................................. 98
IGP Routing ..........................................................................................................................................................99
OSPFv3 ............................................................................................................................................................................... 99
Static Route ..................................................................................................................................................................... 100
Monitor............................................................................................................................................................................ 100
EGP Routing .......................................................................................................................................................101
BGPv4+ ............................................................................................................................................................................ 101
Monitor............................................................................................................................................................................ 102
Tunneling ...........................................................................................................................................................103
ISATAP (Server and CLient) on Cisco IOS ......................................................................................................................... 103
Security ..............................................................................................................................................................105
IPv6 ACL ........................................................................................................................................................................... 105
Monitor............................................................................................................................................................................ 105
.1
2002:100:20:20::/126
.2
FEC:0:0:1::0/64 FEC:0:0:2::0/64
R2 .2 .1 R1 .1 .3 R3
GENERAL
BACK
BASE CONFIGURATION
! enable IPv6
ipv6 unicast-routing
ipv6 cef
! enable IPv6
ipv6 unicast-routing
ipv6 cef
interface GigabitEthernet0/1
! configure static IPv6 Site Local address (private IP) on interface
ipv6 address FEC:0:0:1::1/64
! enable IPv6 on interface
ipv6 enable
GENERAL PREFIXES
interface GigabitEthernet0/2
! IPv6 address configured on interface using the alias followed by the host portion of the IP
ipv6 address RHG-R1-R3 ::3/64
BACK TO IPV6
! enable IPv6
ipv6 unicast-routing
ipv6 cef
interface Vlan10
! configure dynamic IPv6 Link Local address (private IP) on interface using EUI-64
ipv6 address FEC:0:0:10::/64 eui-64
! configure dynamic IPv6 Global address (public IP) on interface using EUI-64
ipv6 address 2002:100:10:10::/64 eui-64
! enable IPv6 on interface
ipv6 enable
interface GigabitEthernet0/1
! disable route advertisements on point-to-point connections
ipv6 nd-suppress-ra
MONITOR
OSPFV3
! enable IPv6
ipv6 unicast-routing
ipv6 cef
interface Loopback0
! configure static IPv6 Unique Local address (private IP) on interface
ipv6 address FC00:0:1::1/128
! enable IPv6 on interface
ipv6 enable
! place interface into Area 1 (standard area) using OSPF ID of “1”
ipv6 ospf 1 area 1
interface GigabitEthernet0/1
! configure static IPv6 Site Local address (private IP) on interface
ipv6 address FEC:0:0:1::1/64
! enable IPv6 on interface
ipv6 enable
! tune OSPF timers ; must be configured on both ends
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
! place interface into Area 0 (OSPF backbone area) using OSPF ID of “1”
ipv6 ospf 1 area 0
interface GigabitEthernet0/2
! configure static IPv6 Site Local address (private IP) on interface
ipv6 address FEC:0:0:2::1/64
! enable IPv6 on interface
ipv6 enable
! tune OSPF timers ; must be configured on both ends
ipv6 ospf hello-interval 1
ipv6 ospf dead-interval 3
! place interface into Area 0 (OSPF backbone area) using OSPF ID of “1”
ipv6 ospf 1 area 0
! enable IPv6
ipv6 unicast-routing
ipv6 cef
! routing to IPv6 subnet FEC:0:0:20::/64 through next hop IPv6 router (R2), FEC:0:0:2::2
ipv6 route FEC:0:0:20::/64 FEC:0:0:2::2
MONITOR
BGPV4+
interface Loopback0
! configure static IPv6 Unique Local address (private IP) on interface
ipv6 address FC00:0:4::1/128
! enable IPv6 on interface
ipv6 enable
interface GigabitEthernet0/0
! configure static IPv6 Global address (public IP) on interface
ipv6 address 2002:100:10:10::1/126
! enable IPv6 on interface
ipv6 enable
interface Loopback0
! configure IPv6 Unique Local address (private IP) on interface
ipv6 address FC00:0:1::1/128
! enable IPv6 on interface
ipv6 enable
interface GigabitEthernet0/0
! configure IPv6 Global address (public IP) on interface
ipv6 address 2002:100:20:20::2/126
! enable IPv6 on interface
! configure NULL route for IPv6 BGP subnet to be injected and advertised to eBGP peers
ipv6 route 2002:100:10::/48 Null0
MONITOR
Lo0: 10.1.1.1
Server
Tunnel:
2001:AAA:BBB:CCC::/64 FE0/0
EUI-64 192.168.10.1
Tunnel: FE0/0
Autoconfig 192.168.10.2
Client
ipv6 unicast-routing
IPV6 ACL
! enable IPv6
ipv6 unicast-routing
ipv6 cef
interface GigabitEthernet0/0
! apply ACL inbound to the WAN/Internet facing interface
ipv6 traffic-filter ROUTEHUB-ACL-IPV6 in
MONITOR
VIP = .1
.2 .3
192.168.10.0 /24
HSRP
Priority: higher the value the more preferred primary default gateway device.
>>SW1<<
! configures SW1 to be primary default gateway router for VLAN100.
interface Vlan100
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby priority 110
standby preempt delay minimum 180
>>SW2<<
! configures SW2 to be the secondary default gateway router for VLAN100
interface Vlan100
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby preempt delay minimum 180
BACK TO HSRP
HSRP AUTHENTICATION
>>SW1<<
interface Vlan100
! configures HSRP password that must match with the other HSRP router
standby authentication cisco123
>>SW2<<
interface Vlan100
! configures HSRP password that must match with the other HSRP router
standby authentication cisco123
BACK TO HSRP
ISP1 ISP2
Fa0/1
Fa0/1
1.1.1.1 /24
1.2.1.1 /24
SW1 SW2
VIP = .1
.2 .3
192.168.10.0 /24
>>SW1<<
! configures SW2 to be the primary default gateway router for VLAN10
interface Vlan10
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby priority 110
standby preempt delay minimum 180
! track the following interface
! If interface is down subtract 20 from priority causing SW2 to be primary
standby track FastEthernet0/1 20
>>SW2<<
! configures SW2 to be the secondary default gateway router for VLAN10
interface Vlan10
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby preempt delay minimum 180
REDIRECTING ICMP
>>SW1<<
interface Vlan10
! enable redirecting ICMP under HSRP enabled interface
standby redirects enable
>>SW2<<
interface Vlan10
! enable redirecting ICMP under HSRP enabled interface
standby redirects enable
show standby
show standby brief
show track
VIP = .1
.2 .3
192.168.10.0 /24
VIP = .1
.2 .3
192.168.10.0 /24
VRRP
Priority: higher the value the more preferred primary default gateway device.
>>SW1<<
! configures SW1 to be primary default gateway router for VLAN10.
interface Vlan10
ip address 192.168.10.2 255.255.255.0
! define default gateway IP
vrrp 1 ip 192.168.10.1
vrrp 1 priority 110
vrrp 1 preempt
>>SW2<<
! configures SW2 to be the secondary default gateway router for VLAN10
interface Vlan10
ip address 192.168.10.3 255.255.255.0
! define default gateway IP
vrrp 1 ip 192.168.10.1
vrrp 1 preempt
MONITOR
show vrrp
! specifies the netflow server IP address and the netflow port to use for export
ip flow-export destination 192.168.10.10 9996
! specify the interface/address that will communicate with the netflow server
ip flow-export source Loopback0
! ensures that flows that have finished are exported in a timely manner
ip flow-cache timeout inactive 15
interface FastEthernet0/0
! applies NetFlow to an interface for capturing all flows
ip route-cache flow
! command to summarize the active flows and how much data it is exporting
show ip cache flow
show ip cache verbose flow
BACK TO NETFLOW
Requirements: Cisco Catalyst 6500 using Supervisor 2 or 720 ; IOS version 12.1.13(E) or higher
! sets the export version. Used to distinguish flows coming from the Supervisor engine and MSFC
mls nde sender version 7
! ensures that flows that have finished are exported in a timely manner
mls aging normal 32
! required to put interface and routing info into the netflow export
mls flow ip full
! specifies the netflow server IP address and the netflow port to use for export
ip flow-export destination 192.168.10.10 9996
! specify the interface/address that will communicate with the netflow server
ip flow-export source Loopback0
interface FastEthernet3/1
! applies NetFlow to an interface for capturing all flows
ip route-cache flow
! command to summarize the active flows and how much data it is exporting
show ip cache flow
show ip cache verbose flow
BACK TO NETFLOW
Requirements: Cisco Catalyst 4500 using Supervisor IV, NetFlow daughter-card; IOS version 12.1(1)EW) or higher
! specifies the netflow server IP address and the netflow port to use for export
ip flow-export destination 192.168.10.10 9996
! specify the interface/address that will communicate with the netflow server
ip flow-export source Loopback0
! ensures that flows that have finished are exported in a timely manner
ip flow-cache timeout inactive 15
interface FastEthernet3/1
! applies NetFlow to interface for capturing all flows & ensures routing info is included
ip route-cache flow infer-fields
! command to summarize the active flows and how much data it is exporting
show ip cache flow
show ip cache verbose flow
192.168.10.0 /24
.1
.10
SNMPV2
! specify IP of NMS and community name used for sending SNMP traps
snmp-server host 192.168.10.10 RHG-SNMP
SNMPV3
! configure SNMP view to query all (internet) objects from the Cisco device
snmp-server view RHG-VIEW internet included
! specify SNMPv3 group. Associate SNMP view and ACL policies
snmp-server group RHG-GROUP v3 priv read RHG-VIEW access 10
! specify the username & associate SNMPv3 group
! specify the autentication protocol (SHA) and password
! specify the encryption protocol (AES 128) and password
snmp-server user RHGUSER RHG-GROUP v3 auth sha RHGPASSWORD1 priv aes 128 RHGPASSWORD2
snmp-server ifindex persist
! specify SNMP location and contact details
snmp-server location TRACY, CA
snmp-server contact support@routehub.com
NTP
BACK
NTP CLIENT
192.168.10.0 /24
.1
NTP Server
.2
Client
! configuration on terminal server with async ports which maps IP 10.67.78.71 to TTY port 2001
! this means if we do a "telnet" to 10.67.78.71 it will automatically connect to the console
session off of port 2001
MAINTENANCE
BACK
192.168.10.0 /24
.1
.10
192.168.10.0 /24
.1
.10
! send logs for levels 0-7 to the buffer on the device up to 16KB
logging buffered 16384 debugging
! disable log messages to console
no logging console
! disable log messages to terminal monitor (via Telnet/SSH)
no logging monitor
! send logs for levels 0-4 to SYSLOG server
logging trap warning
! specify facility level
logging facility local4
! specify the source interface to send log messages from
logging source-interface Vlan10
! specify IP of SYSLOG server
logging 192.168.10.10
! Or Error Disable recovery can be enabled individual for the following (whats supported)
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
GENERAL
BACK
TIME-ZONE
ARP TIMEOUT
LOAD INTERVAL
interface FastEthernet0/0
! view interface stats every 60 seconds instead of 5 minutes (default)
load-interval 60
SECONDARY IP
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
! second IP configured on interface
ip address 192.168.11.1 255.255.255.0 secondary
.1 Auto
interface FastEthernet4
! enable interface to get IP via DHCP
ip address dhcp
SSH
SENDING MESSAGES
OR
Flow Control can be used on GE interfaces to instruct the other connected device to
slow down its current rate of traffic flow. Helps to prevent congestion and packet
drops.
interface GigabitEthernet1/0/2
! enable flow control
flowcontrol receive on
flowcontrol send off
INCLUDE
! issue the command "show ip route" but only displays lines that contains "28416"
show ip route | include 28416
D 10.25.1.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.100.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.150.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
D 10.25.200.0/24 [90/28416] via 10.25.99.1, 7w0d, Vlan1
ALIAS (EXEC)
! alias where entering the command "c" will go into the config mode
alias exec c config t
DO
DEFAULT INTERFACE
MULTIPLE PORTS/INTERFACES
! runs macro that will ping the IP addresses listed in the macro automatically
macro global apply macro_PING
* This macro will add new VLANs and VLAN SVIs automatically on a L2/L3 switch. This macro will
also include parameters where we can enter specific details with the macro that will be applied.
! apply macro on a L2/L3 switch. This will create a new VLAN, which will be VLAN 123
! and the description of this VLAN will be called TEST_VLAN.
! The subnet for this new VLAN will be 192.168.123.0 which includes the VLAN ID we defined
! Note: the syntax "trace" means we want to see the output which is shown here:
UC01TRA(config-if)#macro trace macro_new_VLAN $V 123 $D TEST_VLAN
Applying command... 'vlan 123'
Applying command... ' name TEST_VLAN'
Applying command... 'interface vlan 123'
Applying command... ' ip address 192.168.123.1 255.255.255.0'
Applying command... ' no shutdown '
* This macro will create a configuration that can be applied to a voice switch port with
connected IP phones and endpoints which will include VLANs and QoS. This can allow an engineer
to define the macro with all the necessary configuration then allow a technician to apply the
macro where needed on ports that are considered as voice ports.
! enable CEF load-sharing algorithm to use L3+L4 information for load balancing traffic
mls ip cef load-sharing full
NAT
BACK
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! configure NAT and range of Public IP's to use for NAT Overload
ip nat pool NATPOOL 1.1.1.5 1.1.1.6 netmask 255.255.255.0
! hosts in ACL 101 will NAT overload to the range of Public IP's from the NAT pool
ip nat inside source list 101 pool NATPOOL overload
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! hosts in ACL 101 will NAT overload to the Public IP on the WAN interface
ip nat inside source list 101 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
192.168.10.0 /24
.1 1.1.1.1
NAT Pool:
1.1.1.10 - 1.1.1.20
.10
STATIC NAT
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! any access to the IP configured on the WAN interface for HTTPS (TCP/443) will be
redirected to the inside server of 192.168.10.10.
ip nat inside source static tcp 192.168.10.10 443 1.1.1.1 443 extendable
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
ISP1 ISP2
Gi0/0
Gi0/0
1.1.1.1 /24
1.2.2.1 /24
R1 R2
1.1.1.10 à 192.168.10.10 1.1.1.10 à 192.168.10.10
1.1.1.5 à 192.168.10.X 1.1.1.5 à 192.168.10.X
VIP = .1
1.1.1.6 à 192.168.10.X 1.1.1.6 à 192.168.10.X
Gi0/1 Gi0/1
.2 .3
192.168.10.0 /24
* no PAT support
>>R1<<
! define stateful NAT group using ID "1"
ip nat stateful id 1
! specify name for HSRP
redundancy SF-NAT
! specify mapping ID of "1"
mapping-id 1
! specify the HSRP enabled interface
interface GigabitEthernet0/1
protocol udp
! dynamic NAT configuration (not NAT overload) associated to stateful NAT group
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 110 pool NATPOOL mapping-id
ip nat inside source static 192.168.10.10 1.1.1.10 mapping-id 1
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.2 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
! primary HSRP router configuration
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby priority 110
>>R2<<
! define stateful NAT group using ID "1"
ip nat stateful id 1
! specify name for HSRP
redundancy SF-NAT
! specify mapping ID of "1"
mapping-id 1
! specify the HSRP enabled interface
interface GigabitEthernet0/1
protocol udp
! dynamic NAT configuration (not NAT overload) associated to stateful NAT group
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
ip nat inside source list 110 pool NATPOOL mapping-id
ip nat inside source static 192.168.10.10 1.1.1.10 mapping-id 1
interface GigabitEthernet0/0
ip address 1.2.2.1 255.255.255.0
! specify WAN facing interface (outside) for NAT
ip nat outside
interface GigabitEthernet0/1
ip address 192.168.10.3 255.255.255.0
! specify LAN facing interface (inside) for NAT
ip nat inside
! secondary HSRP router configuration
standby ip 192.168.10.1
standby timers msec 250 msec 750
standby preempt delay minimum 180
! HSRP will reference the stateful NAT group configured
standby name SF-NAT
MONITOR
ISP2
1.2.2.1
ISP1
.1 1.1.1.1
! track if the probe result is successfully using an ID of “1” with a delay of 20 seconds
track 1 rtr 10 reachability
delay down 30 up 60
! apply track ID to the primary default route. If the probe fails the route is removed
ip route 0.0.0.0 0.0.0.0 1.1.1.2 track 1
! secondary default route to the second ISP using higher admin distance
ip route 0.0.0.0 0.0.0.0 1.2.2.2 254
IP ACCOUNTING
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! enable IP accounting
ip accounting output-packets
vlan10
192.168.10.X
vlan20
192.168.20.10
DHCP server
192.168.10.0 /24
.1
DHCP Server
DHCP-enabled
INET INET
192.168.10.0 /24
192.168.11.0 /24
! configure PBR
route-map PBR-RM-INET permit 10
! associate ACL to PBR
match ip address PBR-ACL-INET
! all permitted entries in the ACL will be forwarded to 10.1.3.3
set ip next-hop 10.1.3.3
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! associate PBR to LAN facing interface
ip policy route-map PBR-RM-INET
show ip policy
show route-map
.1 Auto
! ACL to define who can use HTTP services on the Cisco IOS device
access-list 23 permit 192.168.10.0 0.0.0.255
Server Farm
VIP: 192.168.20.10
192.168.10.0 /24
WEB02TRA
.12
interface FastEthernet1/1
description "Uplink to the Default Gateway"
no ip address
switchport
switchport access vlan 20
interface FastEthernet1/2
description "Connection to Web server 1"
no ip address
switchport
switchport access vlan 10
interface FastEthernet1/3
description "Connection to Web server 2"
no ip address
switchport
switchport access vlan 10
APPLETALK
interface FastEthernet1/1
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
! define appletalk address range and zone
appletalk cable-range 11219-11219 11219.97
appletalk zone Classroom 4
IPX
>> R1 <<
! enable IPX
ipx routing
! enable IPX EIGRP routing for all IPX configured networks (100,10)
ipx router eigrp 1
network all
>> R2 <<
! enable IPX
ipx routing
! enable IPX EIGRP routing for all IPX configured networks (100,20)
ipx router eigrp 1
network all
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
! ACL allowing only ICMP and stateful traffic into the DMZ
ip access-list extended public-egress-acl
permit icmp any any
evaluate reflexive-public-acl
deny ip any any log
interface Vlan11
ip address 192.168.11.1 255.255.255.0
! apply ACL policy (inbound & outbound) to the DMZ interface
ip access-group public-ingress-acl in
ip access-group public-egress-acl out
BACK TO ACL
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
interface VLAN10
ip address 192.168.10.1 255.255.255.0
! apply ACL inbound to the LAN facing interface
ip access-group hfc-outgoing-acl in
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
interface FastEthernet4
ip address 1.1.1.1 255.255.255.0
! apply ACL inbound to the WAN facing interface
ip access-group 100 in
BACK TO ACL
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
! configure a one-time schedule to start at 12/9/2009 at 10AM and end at 12/9/2009 at 12PM
time-range "lab-time"
absolute start 10:00 09 December 2009 end 12:00 09 December 2009
interface Vlan11
ip address 192.168.11.1 255.255.255.0
! apply ACL inbound to the interface
ip access-group lab-acl in
BACK TO ACL
! any host trying to route to any host on the 6.7.7.0 network will be dropped
ip route 6.7.7.0 255.255.255.0 null0
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
! associate ACL to interface (inbound)
ip access-group ACL-FW in
192.168.10.0 /24
VLAN10
.1
.10
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! inbound ACL applied
ip access-group RHG-VLAN10-ACL-IN in
! outbound ACL applied
ip access-group RHG-VLAN10-ACL-OUT out
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
! apply RACL stateful firewall policies on the WAN facing interface
ip access-group ingress-acl in
ip access-group egress-acl out
BACK TO CISCO IOS FIREWALL
interface Serial0/0
ip address 1.1.1.1 255.255.255.0
! apply CBAC stateful firewall policies on the WAN facing interface
ip access-group ingress-acl in
ip inspect FW out
BACK TO CISCO IOS FIREWALL
.1 1.1.1.1 2.2.2.2 .1
! specifies the LAN subnets at Site #1 that will communicate with LAN subnets at Site #2
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
! LAN interface
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
! specifies the LAN subnets at Site #2 that will communicate with LAN subnets at Site #1
access-list 112 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
! LAN subnets at Site #2 communicating with LAN subnets at Site #1 will not use NAT
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
! LAN interface
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
! WAN interface
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
! apply IPSec VPN policy
crypto map vpn
.1 1.1.1.1 2.2.2.2 .1
Notes: the other VPN device initiates VPN connection to this VPN device (router)
VPN can only be initiated from SITE2 to SITE1. Not possible from SITE1
! specifies the LAN subnets at Site #1 that will communicate with LAN subnets at Site #2
access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
! LAN interface
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
! WAN interface
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
! apply IPSec VPN policy
crypto map RHG-VPN
! specifies the LAN subnets at Site #2 that will communicate with LAN subnets at Site #1
access-list 112 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
! LAN subnets at Site #2 communicating with LAN subnets at Site #1 will not use NAT
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
! LAN interface
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
! WAN interface
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
! apply IPSec VPN policy
crypto map VPN
Site #1 Site #2
192.168.20.0 /24
ASA INET
1.1.1.1 1.2.2.1 ER/FW .1
.1 1.2.2.2 à192.168.20.2
.2
VPN-ON-A-STICK
192.168.10.0 /24
hostname VPN-ON-A-STICK
! specifies the LAN subnets at Site #2 that will communicate with LAN subnets at Site #1
access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
! ACL configured to allow all ISAKMP (UDP/500) and ESP traffic to the VPN router (871)
ip access-list extended ingress-acl
permit udp any host 1.2.2.2 eq 500
permit esp any host 1.2.2.2
! static route of VPN Site #1 subnet routing through the VPN router (871)
ip route 192.168.10.0 255.255.255.0 192.168.20.2
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
! no NAT ACL applied to NAT configuration
nat (RHG-LAN) 0 access-list ACL-NONAT
.1 1.1.1.1 2.2.2.2 .1
! Extended ACL defining what traffic will be encrypted (which will be the GRE tunnel)
access-list 100 permit gre host 1.1.1.1 host 2.2.2.2
! Extended ACL defining what traffic will be encrypted (which will be the GRE tunnel)
access-list 100 permit gre host 2.2.2.2 host 1.1.1.1
MONITOR
10.1.1.2
10.1.1.1
INET
2.2.2.2
1.1.1.1
192.168.20.0 /24
192.168.10.0 /24
DMVPN HUB
! specify key that any spoke can use for connecting with the DMVPN hub router
crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key RHGauth
! ISAKMP policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
! ISAKMP profile
crypto isakmp profile dmvpn-isakmp
! associate configured keyring profile
keyring dmvpnspokes
! allow any spoke using the correct security key to connect to this DMVPN hub router
match identity address 0.0.0.0
! IPSec profile
crypto ipsec profile dmvpn
set security-association lifetime seconds 120
! associate IPSec transform policy
set transform-set ipsec-ts
! associate ISAKMP profile
set isakmp-profile dmvpn-isakmp
! static route for a DMVPN Spoke’s subnet via 10.1.1.2 (IP on Tunnel interface for DMVPN spoke)
ip route 192.168.20.0 255.255.255.0 10.1.1.2
DMVPN SPOKE
! ISAKMP key matching what is configured on the DMVPN hub (and other remote sites)
crypto isakmp key RHGauth address 0.0.0.0 0.0.0.0
crypto isakmp xauth timeout 45
! static route for DMVPN Hub subnet via 10.1.1.1 (IP on Tunnel interface for DMVPN hub)
ip route 192.168.10.0 255.255.255.0 10.1.1.1
MONITOR
192.168.10.0/24
1.3.1.1
Topology:
HQ: DMVPN and IPSec VPN ; LAN: 192.168.10.0/24, WAN: 10.1.1.1 (for DMVPN)
S1: DMVPN; LAN: 192.168.20.0/24, WAN: 10.1.1.2 (for DMVPN)
S2: DMVPN; LAN: 192.168.30.0/24, WAN: 10.1.1.3 (for DMVPN)
S3: IPSec VPN; LAN: 192.168.40.0/24
! ISAKMP profiles
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! static routes to remote sites (S1 & S2) using DMVPN tunnels
ip route 192.168.20.0 255.255.255.0 10.1.1.2
ip route 192.168.30.0 255.255.255.0 10.1.1.3
KS2
.2
WAN .4
10.1.1.0 /24 S1
KS1 .1
10.2.2.0 /24
.3
H
10.2.1.0 /24
! ISAKMP policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
! ISAKMP key shared with each group member and key server on the IP WAN
crypto isakmp key cisco123 address 10.1.1.2
crypto isakmp key cisco123 address 10.1.1.3
crypto isakmp key cisco123 address 10.1.1.4
! IPSec profile
crypto ipsec profile gdoi-profile-gvpn1
set security-association lifetime seconds 1800
! associate IPSec transform policy
set transform-set GVPN-TS
! ISAKMP policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
! ISAKMP key shared with each group member and key server on the IP WAN
crypto isakmp key cisco123 address 10.1.1.1
crypto isakmp key cisco123 address 10.1.1.3
crypto isakmp key cisco123 address 10.1.1.4
! IPSec profile
crypto ipsec profile gdoi-profile-gvpn1
set security-association lifetime seconds 1800
! associate IPSec transform policy
set transform-set GVPN-TS
GROUP MEMBERS
! ISAKMP policy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
! GDOI policy
crypto gdoi group gvpn1
! specify the same ID number (1) configured on the key servers
identity number 1
! specify the IP for each key server on the IP WAN
server address ipv4 10.1.1.1
server address ipv4 10.1.1.2
MONITOR
>>KEY SERVER<<
show crypto gdoi ks
show crypto isakmp sa
show crypto gdoi group <gdoi-group>
show crypto gdoi ks members
show crypto gdoi ks policy
show crypto gdoi ks acl
>>GROUP MEMBER<<
show crypto isakmp sa
show crypto gdoi group <gdoi-group>
BACK TO GET VPN
.1 1.1.1.1
aaa new-model
! EZVPN client users will be authenticated & authorized against the local user database
aaa authentication login userauthen local
aaa authorization network groupauthor local
! specifies the IP addresses that should be assigned to VPN users once logged in
ip local pool routehub-pool 192.168.100.10 192.168.100.50
! ACL that specifies what networks can be accessed across the VPN tunnel once established
ip access-list extended split-tunnel-acl
permit ip 192.168.10.0 0.0.0.255 any
! ACL that specifies that the LAN and VPN subnet should not use NAT
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255
! all other communication from the LAN will use NAT
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
! PBR associated to NAT where the LAN and VPN subnet should not use NAT/PAT
ip nat inside source route-map no-NAT interface FastEthernet1 overload
! IPSec policy associating the dynamic map policy used for EZVPN
crypto map ezvpn 1 ipsec-isakmp dynamic ezvpn
interface FastEthernet1
! associate IPSec policy to WAN facing interface
crypto map ezvpn
.1 1.1.1.1
aaa new-model
! SSL VPN client users will be authenticated against the local user database
aaa authentication login RHG-AAA-SSL local
! specifies the IP addresses that should be assigned to VPN users once logged in
ip local pool RHG-POOL-VPN 192.168.100.30 192.168.100.50
! configure portal page to include the logo (located in flash) and colors on the web page
webvpn context routehub
title "RouteHub SSL VPN"
logo file logo_routehub.gif
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
default-group-policy policy_1
! associate AAA authentication to SSL VPN profile
aaa authentication list RHG-AAA-SSL
! specify the domain name VPN users will use by default
gateway gateway_1 domain routehub.local
inservice
.1 1.1.1.1
aaa new-model
! SSL VPN client users will be authenticated against the local database on ASA
aaa authentication login RHG-AAA-SSL local
! configure portal page to include the logo (located in flash) and colors on the web page
webvpn context routehub
title "RouteHub SSL VPN"
logo file logo_routehub.gif
title-color #669999
secondary-color white
text-color black
ssl authenticate verify all
default-group-policy ROUTEHUB
! associate AAA authentication to SSL VPN profile
aaa authentication list RHG-AAA-SSL
! specify the gateway policy to use
gateway gateway_1
inservice
MONITOR
PPTP
.1 1.1.1.1
! enable VPDN
vpdn enable
vpdn logging
.1 1.1.1.1
! enable URL filtering using the name “websec” for HTTP URL inspection
ip inspect name websec http urlfilter
ip urlfilter cache 5
! specify the domains that should be automatically blocked
ip urlfilter exclusive-domain deny .youtube.com
! specify the domains that should be automatically allowed
ip urlfilter exclusive-domain permit www.routehub.local
ip urlfilter audit-trail
ip urlfilter alert
! URL filtering server will be WebSense using 192.168.10.10
ip urlfilter server vendor websense 192.168.10.10
interface Vlan10
ip address 192.168.10.1 255.255.255.0
! enable URL filtering inbound on LAN interface
ip inspect websec in
SERVICES...................................................................................................................................................................178
WCCP ............................................................................................................................................................................... 178
802.1X .............................................................................................................................................................................. 179
AAA and TACACS+ ............................................................................................................................................................ 180
RADIUS............................................................................................................................................................................. 180
Lower Case ...................................................................................................................................................................... 181
Testing AAA ..................................................................................................................................................................... 181
IPS Module in Cisco ISR Series ......................................................................................................................................... 181
WCCP
.1 1.1.1.1
! configure ACL for what should be inspected by the proxy (permit) or not (deny)
ip access-list extended wccp-acl
! individual hosts on the network that should bypass the proxy
deny ip host 192.168.10.23 any
deny ip host 192.168.10.74 any
! subnets that should be redirected to the proxy
permit 192.168.11.0.0.0.255 any
! hosts on the subnet doing HTTP requests should be redirected to the proxy
permit tcp 192.168.10.0 0.0.0.255 any eq www
! hosts on the subnet doing a HTTPS requests should bypass the proxy
deny tcp 192.168.10.0 0.0.0.255 any eq 443
! any hosts trying to access host (IP 10.1.1.10) should bypass the proxy
deny ip any host 6.7.7.10
! all other requests to the Internet should bypass the proxy for inspection
deny ip any any
! enable WCCP and redirect traffic to proxy based on the configured ACL
ip wccp 9 redirect-list wccp-acl
interface GigabitEthernet3/1
ip address 1.1.1.1 255.255.255.0
! enable WCCP on WAN facing interface that will use the proxy
ip wccp 9 redirect out
aaa new-model
! configure AAA group to specify the RADIUS server and ports.
aaa group server radius ACS-RADIUS
server 192.168.10.10 auth-port 1812 acct-port 1813
! AAA authentication and authorization to use the RADIUS group for 802.1X
aaa authentication dot1x default group ACS-RADIUS
aaa authorization network default group ACS-RADIUS
aaa new-model
! configure AAA group to specify the TACACS+ server
aaa group server tacacs+ ACS-TACACS
server 192.168.10.10
! any telnet/ssh access to device will authenticate against TACACS+ then the local database
aaa authentication login default group ACS-TACACS local
aaa authentication login console line
aaa authorization exec default group ACS-TACACS local
aaa authorization commands 1 default group ACS-TACACS if-authenticated none
aaa authorization commands 15 default group ACS-TACACS local none
aaa accounting exec default start-stop group ACS-TACACS
aaa accounting commands 15 default start-stop group ACS-TACACS
aaa accounting network default start-stop group ACS-TACACS
aaa accounting system default start-stop group ACS-TACACS
! TACACS+ requests should use the IP configured on Eth0/1 for all communication
ip tacacs source-interface Ethernet0/1
line con 0
password cisco123
RADIUS
! specify source interface (IP from this interface) for RADIUS communication.
ip radius source-interface FastEthernet0/0
! specify RADIUS server IP, port numbers, and shared key
radius-server host 192.168.10.10 auth-port 1812 acct-port 1813 key cisco123
TESTING AAA
! test RADIUS configuration using the username "mthomati" in the domain of "RHG"
test aaa group radius RHG\mthomati
.1 1.1.1.1
! enable Promiscuous monitoring for the traffic listed in the associated ACL
ids-service-module monitoring promiscuous access-list 100
L3VPN ....................................................................................................................................................................183
L2VPN ....................................................................................................................................................................205
L3VPN ....................................................................................................................................................................183
Basic Tunneling ..................................................................................................................................................184
GRE Tunnel ...................................................................................................................................................................... 184
IP Tunnel (IPIP) ................................................................................................................................................................ 185
Multi-CE VRF (VRF-lite) ......................................................................................................................................186
Access Configuration (No VRF) ........................................................................................................................................ 186
Distribution/Aggregation Configuration (VRF) ................................................................................................................ 187
Core Configuration (VRF) ................................................................................................................................................. 189
Zone Configuration (No VRF) ........................................................................................................................................... 191
Firewall Between Zone and Core ..................................................................................................................................... 193
MPLS VPN ..........................................................................................................................................................196
MPLS: Provider (P) ........................................................................................................................................................... 196
MPLS: Provider Edge (PE) ................................................................................................................................................ 197
VRF (MPLS PE).................................................................................................................................................................. 198
MP-BGP (MPLS PE) .......................................................................................................................................................... 199
MPLS: Customer Edge (CE) .............................................................................................................................................. 201
MPLS over GRE ................................................................................................................................................................ 202
VRF Selection ................................................................................................................................................................... 203
GRE TUNNEL
10.1.1.2
10.1.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
>> R1 <<
! create tunnel interface
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
! specify IP on WAN facing interface
tunnel source 1.1.1.1
! specify destination IP on remote end
tunnel destination 2.2.2.2
>> R2 <<
! create tunnel interface
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
! specify IP on WAN facing interface
tunnel source 2.2.2.2
! specify destination IP on remote end
tunnel destination 1.1.1.1
10.1.1.2
10.1.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
>> R1 <<
! create tunnel interface
interface Tunnel0
ip address 10.1.1.1 255.255.255.252
! specify IP on WAN facing interface
tunnel source 1.1.1.1
! specify destination IP on remote end
tunnel destination 2.2.2.2
! specifies that this will be an IP enabled tunnel not GRE tunnel
tunnel mode ipip
>> R2 <<
! create tunnel interface
interface Tunnel0
ip address 10.1.1.2 255.255.255.252
! specify IP on WAN facing interface
tunnel source 2.2.2.2
! specify destination IP on remote end
tunnel destination 1.1.1.1
! specifies that this will be an IP enabled tunnel not GRE tunnel
tunnel mode ipip
Client 2
Client 2
Client 2 10.2.100.0 /24 (v100)
10.2.98.0 /24 (v298)
10.2.98.0 /24 (v298) 10.2.99.0 /24 (v199)
VRF VRF
802.1q 802.1q 802.1q 802.1q
vlan198 vlan198 vlan199 vlan100
vlan298 vlan298 vlan299 vlan200
FW vlan200
ZONE CORE AGG ACCESS
vlan100
VRF VRF
Client 1
Client 1 Client 1
10.1.98.0 /24 (v198)
10.1.98.0 /24 (v198)
Client 2
10.1.100.0 /24 (v100)
10.1.99.0 /24 (v199)
Client 1
! VLANs for Client 1 & 2 (LAN and Interconnection) tagged up to the LAN Core
interface GigabitEthernet0/1
description TO: LAN Core
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200,199,299
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
! VLANs for Client 1 & 2 (LAN only) tagged down to the LAN Access
interface GigabitEthernet0/2
description TO: LAN Access
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,200
switchport mode trunk
switchport nonegotiate
carrier-delay msec 0
BACK TO VRF-LITE
BACK TO VRF-LITE
passwd secret123
enable password secret123
passwd secret123
enable password secret123
BACK TO VRF-LITE
.2 .3
10.2.4.0 /24 10.3.5.0 /24
.4 .5
4.4.4.4 5.5.5.5
>>P1<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
BACK TO MPLS
>>PE1<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
>>PE2<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
BACK TO MPLS
>>PE1<<
! configure VRF for Client A using RD of 10:100
ip vrf CEA
rd 10:100
route-target export 10:100
route-target import 10:100
>>PE2<<
! configure VRF for Client A using RD of 10:100
ip vrf CEA
rd 10:100
route-target export 10:100
route-target import 10:100
BACK TO MPLS
>>PE1<<
! BGP routing process in ASN 6778
router bgp 6778
no synchronization
bgp log-neighbor-changes
! specify iBGP peer to PE2
neighbor 3.3.3.3 remote-as 6778
neighbor 3.3.3.3 update-source Loopback0
no auto-summary
>>PE2<<
! BGP routing process in ASN 6778
router bgp 6778
no synchronization
bgp log-neighbor-changes
! specify iBGP peer to PE1
neighbor 2.2.2.2 remote-as 6778
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
BACK TO MPLS
>>CE1<<
! management interface for CE1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
>>CE2<<
! management interface for CE1
interface Loopback0
ip address 5.5.5.5 255.255.255.255
BACK TO MPLS
172.16.1.2
172.16.1.1
INET
2.2.2.2 P2
P1 1.1.1.1
MPLS1 MPLS2
>>P1 in MPLS1<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
! GRE interface
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
! specify local interface where GRE will be established from
tunnel source FastEthernet1/0
! specify the destination where the GRE tunnel will be terminated to
tunnel destination 2.2.2.2
! enable MPLS on interface
mpls ip
>>P2 in MPLS2<<
! enable MPLS to use LDP instead of Cisco’s TDP
mpls label protocol ldp
! GRE interface
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
! specify local interface where GRE will be established from
tunnel source FastEthernet1/0
! specify the destination where the GRE tunnel will be terminated to
tunnel destination 1.1.1.1
! enable MPLS on interface
mpls ip
BACK TO MPLS
VRF SELECTION
192.168.10.0 /24
.1
Client 1 .2
PE
172.16.1.0 /24 .3
Client 2
172.16.2.0 /24
>>PE<<
! VRF for Client A
ip vrf CEA
rd 50:500
route-target export 50:500
route-target import 50:500
BACK TO MPLS
L2VPN ....................................................................................................................................................................205
EoMPLS ..............................................................................................................................................................206
EoMPLS ............................................................................................................................................................................ 206
Monitor Commands......................................................................................................................................................... 209
L2TPv3................................................................................................................................................................210
L2TPv3 using Static Tunnels ............................................................................................................................................. 210
Monitor Commands......................................................................................................................................................... 212
VPLS ...................................................................................................................................................................213
VPLS (VLAN-Based) .......................................................................................................................................................... 213
VPLS (QinQ, Port-Based) .................................................................................................................................................. 219
Monitor Commands......................................................................................................................................................... 223
802.1q 802.1q
CE CE
1 -H 1-S
1
VLAN 10, 100, 199 VLAN 10, 100, 199
EOMPLS
>>PE1<<
! interface for PE1 connecting to CE1-H
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.10
! tag VLAN10 from CE1-H to CE1-S1
encapsulation dot1Q 10
! build EoMPLS tunnel for VLAN10 to PE2
xconnect 3.3.3.3 10 encapsulation mpls
interface FastEthernet0/0.100
! tag VLAN100 from CE1-H to CE1-S1
encapsulation dot1Q 100
! build EoMPLS tunnel for VLAN100 to PE2
xconnect 3.3.3.3 100 encapsulation mpls
interface FastEthernet0/0.199
! tag VLAN199 from CE1-H to CE1-S1
encapsulation dot1Q 199
! build EoMPLS tunnel for VLAN199 to PE2
xconnect 3.3.3.3 199 encapsulation mpls
>>PE2<<
! interface for PE2 connecting to CE1-S1
interface FastEthernet0/0
no ip address
no shutdown
interface FastEthernet0/0.10
! tag VLAN10 from CE1-S1 to CE1-H
encapsulation dot1Q 10
! build EoMPLS tunnel for VLAN10 to PE1
xconnect 2.2.2.2 10 encapsulation mpls
interface FastEthernet0/0.199
! tag VLAN199 from CE1-S1 to CE1-H
encapsulation dot1Q 199
! build EoMPLS tunnel for VLAN199 to PE1
xconnect 2.2.2.2 199 encapsulation mpls
>>CE1-H<<
! add VLAN10 used for the Internal network
vlan 10
name RHG-CE1-INTERNAL
BACK TO L2VPN
BACK TO L2VPN
4.4.4.4 5.5.5.5
>>PE1<<
! management interface for PE1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
! enable L2TPv3 and use Loopback0 for building the tunnel to PE2
pseudowire-class manual
encapsulation l2tpv3
protocol none
ip local interface Loopback0
! enable L2TPv3 and use Loopback0 for building the tunnel to PE1
pseudowire-class manual
encapsulation l2tpv3
protocol none
ip local interface Loopback0
>>CE1<<
! management interface for CE1
interface Loopback0
ip address 4.4.4.4 255.255.255.255
! LAN interface
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
! LAN interface
interface FastEthernet0/1
ip address 192.168.20.1 255.255.255.0
MONITOR COMMANDS
.1
802.1q 10.1.4.0 /24 802.1q
.4
CE CE
1 -H 4.4.4.4 1-S
1
VLAN 10, 100, 199 VLAN 10, 100, 199
802.1q
CE
1-S
2
VPLS (VLAN-BASED)
>>PE1<<
! management interface for PE1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Vlan10
! build VPLS tunnels to all VPLS peers for VLAN10
xconnect vfi VPLS-CLIENT1
interface Vlan199
! build VPLS tunnels to all VPLS peers for VLAN199
xconnect vfi VPLS-CLIENT1
>>PE2<<
! management interface for PE2
interface Loopback0
ip address 3.3.3.3 255.255.255.255
interface Vlan10
! build VPLS tunnels to all VPLS peers for VLAN10
xconnect vfi VPLS-CLIENT1
interface Vlan100
! build VPLS tunnels to all VPLS peers for VLAN100
xconnect vfi VPLS-CLIENT1
>>PE3<<
! management interface for PE3
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Vlan10
! build VPLS tunnels to all VPLS peers for VLAN10
xconnect vfi VPLS-CLIENT1
interface Vlan100
! build VPLS tunnels to all VPLS peers for VLAN100
xconnect vfi VPLS-CLIENT1
>>CE1-H<<
! add VLAN10 used for the Internal network
vlan 10
name RHG-CE1-INTERNAL
BACK TO L2VPN
>>PE1<<
! management interface for PE1
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Vlan900
! build VPLS QinQ tunnels to all VPLS peers for Client 1
xconnect vfi VPLS-CLIENT1
>>PE2<<
! management interface for PE2
interface Loopback0
ip address 3.3.3.3 255.255.255.255
>>PE3<<
! management interface for PE3
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Vlan900
! build VPLS QinQ tunnels to all VPLS peers for Client 1
xconnect vfi VPLS-CLIENT1
>>CE1-S1<<
! add VLAN10 used for the Internal network
vlan 10
name RHG-CE1-INTERNAL
>>CE1-S2<<
! add VLAN10 used for the Internal network
vlan 10
name RHG-CE1-INTERNAL
MONITOR COMMANDS
MGCP
! enable MGCP
mgcp
! specify Cisco UCM server
mgcp call-agent 10.67.78.181
mgcp sdp simple
! enable MGCP
ccm-manager mgcp
ccm-manager fax protocol cisco
ccm-manager music-on-hold
! specify primary Cisco UCM server
ccm-manager config server 192.168.10.10
ccm-manager config
! specify secondary Cisco UCM server
ccm-manager redundant-host 192.168.10.11
ccm-manager fallback-mgcp
ccm-manager switchback immediate
PRI
PSTN
VGR
controller T1 0/0/0
! specify framing, clocking, and linecode
framing esf
clock source line primary
linecode b8zs
! specify if this is a PRI (or T1) including the number of channels
pri-group timeslots 1-3,24
FXS
VGR
Analog Phone
! FXS port
voice-port 0/1/0
! specify caller-ID name for the connected analog device
station-id name Analog 3001
! specify directory number for the connected analog device
station-id number 3001
! enable caller-ID
caller-id enable
FXO
PSTN
VGR
! FXO port
voice-port 0/2/0
supervisory disconnect dualtone pre-connect
pre-dial-delay 0
no vad
timeouts call-disconnect 2
voice-port 0/1/0
! specify that this FXO port is using a Groundstart analog line
signal groundStart
! from the Cisco voice gateway dial a DID number (access code of 9)
csim start 919252302203
SIP TRUNK
192.168.10.0 /24
.1 CME
.10
DN: 7XXX
voice-card 0
dsp services dspfarm
! enable SCCP sourced from LAN interface (only Ethernet interface on voice gateway)
sccp local FastEthernet0/0
! specify primary Cisco UCM server
sccp ccm 192.168.10.10 identifier 1 priority 1
! specify secondary Cisco UCM server
sccp ccm 192.168.10.11 identifier 2 priority 2
! enable SCCP for transcoding and conferencing resources
sccp
SRST
FXO
PSTN
SRST
.1
DN 6016778
802.1q
voice data
vlan vlan
(10) (100)
192.168.20.0 /24
hostname vgr01ms
! translate calls using the main office extension to the full DID number
voice translation-rule 1
rule 1 /^209\(....\)/ /1209124\1/
PRI or FXO
PSTN
VGR
* These are FXS ports connecting to analog ports on a Fax Server (e.g. Castelle Fax server)
* Example: we have 4 ports connecting to fax server. 4-digits passed from PSTN.
* Someone sends a fax to 209-123-6111. 6111 is passed to the gateway
...
MONITOR
FXO
PSTN
CME/CUE
.1
DN 6700
802.1q
BASE CONFIGURATION
telephony-service
! specify IP for CME and SCCP port number (2000)
ip source-address 192.168.10.1 port 2000
! specify the amount of time (in seconds) for setting up a call
timeouts interdigit 5
! configure banner on bottom of the IP phone
system message RouteHub UC520
! specify directory number profile used for auto-registration
auto assign 19 to 19
! enable video support
Video
! specify timezone used by CME ; using PST timezone
time-zone 5
! specify voicemail pilot number
voicemail 6000
! configure username and password to access CME GUI page
web admin system name admin secret cisco123
DIRECTORY NUMBERS
ephone-dn 10 dual-line
! specify directory number (extension)
number 6700
! specify what will be listed under the line appearance on the phone
label 6700 (Main)
! specify DN Qualified Display Name (we will use the actual DID number)
description 2091236700
! if a caller calls this DN and the line is busy forward to the voicemail pilot
call-forward busy 6000
! if a caller calls this DN with no answer within 15 seconds forward to the voicemail pilot
call-forward noan 6000 timeout 15
BACK TO CME
ephone-dn 10 dual-line
number 6700
! all calls made to DN 6700 will be forwarded to 4001
call-forward all 4001
IP PHONE CONFIGURATION
ephone 1
! MAC address of IP phone
mac-address 001C.58F0.7619
! specify IP phone model
type 7970
! associate DN to phone line appearance ; line 1 on the 7970 will use DN profile 10
button 1:10
! translation rule to translate any digit starting with 9 change to 19 for user at ext 6700
voice translation-rule 1
rule 1 /^9/ /19/
! if user at extension 6700 dials any outgoing call it will use translation profile TP-6700
dial-peer voice 1 voip
translation-profile incoming TP-6700
answer-address 6700
voice-port 1/0/0
supervisory disconnect dualtone pre-connect
pre-dial-delay 0
no vad
timeouts call-disconnect 2
timeouts wait-release 2
! all incoming calls would go to extension 6700
connection plar opx 6700
caller-id enable
voice-port 0/0/0
! FXS interface enabled for caller-ID
caller-id enable
ephone 2
device-security-mode none
! MAC address determined from “show stcapp device summary”
! enable SIP communication between itself and other protocols on the router
voice service voip
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
supplementary-service h450.12
BACK TO CME
PHONE DIRECTORY
telephony-service
directory first-name-first
! create phone directory entry #1 with the number and the phone entry description
directory entry 1 919252302203 name ROUTEHUB (Main)
! create phone directory entry #2 with the number and the phone entry description
directory entry 2 912091234567 name Other Number (Cell)
! if someone calls extension 1002 it will also ring the listed under the SNR entry
ephone-dn 10 dual-line
number 6700 no-reg primary
! enable mobility to support SNR
mobility
! SNR entry to dial DID number in 2 sec and if no answer within 30 sec forward to voicemail
snr 919252302203 delay 2 timeout 30 cfwd-noan 6000
BACK TO CME
voice-card 0
dspfarm
dsp services dspfarm
sip-ua
! specify SIP username (usually the SIP number) and password supplied by SIP provider
authentication username 19252302204 password cisco6778
no remote-party-id
retry invite 2
retry register 10
timers connect 100
! specify DNS (or IP) of SIP proxy server on Internet (e.g. Viatalk)
registrar dns:sipproxy.routehub.local expires 3600
sip-server dns:sipproxy.routehub.local
host-registrar
! enable SIP communication between itself and other protocols on the router
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
allow-connections sip to sip
supplementary-service h450.12
! disable 302 messages
no supplementary-service sip moved-temporarily
! disable REFER messages
no supplementary-service sip refer
sip
registrar server expires max 3600 min 3600
localhost dns:sipproxy.routehub.local
! translation profile used for incoming calling from the SIP trunk
voice translation-profile RHG-TP-SIP-IN
! associate translation rule #1 that will translate DID to user extension
translate called 1
! translation profile used for outgoing calling over the SIP trunk
voice translation-profile RHG-TP-SIP-OUT
! associate translation rule #2 for calls placed
translate called 2
! associate translation rule #3 for stripping “9” and forwarding the dialed number
translate calling 3
translate redirect-target 4
translate redirect-called 4
ephone-dn 10 dual-line
! directory numbers we don’t want to register with SIP-UA
number 6700 no-reg primary
name 6700
call-forward busy 6000
call-forward noan 6000 timeout 15
telephony-service
! preserves caller-ID of a call when transferred or forwarded
calling-number initiator
! enables translation rule features for forwarding
call-forward system redirecting-expanded
! Registration
show sip-ua register status
debug ccsip message
! Call setup
show ephone registered
show voice rtp connection
show sip-ua call
show call active voice brief
debug ccsip message
FAST DIAL
telephony-service
! specify voicemail pilot number
voicemail 6000
BACK TO CME
HARDWARE CONFERENCING
! create voice class for custom tones when a caller leaves the conference call
voice class custom-cptone routehub-leave
dualtone conference
frequency 900 900
cadence 150 50 150 50
! create voice class for custom tones when a caller joins a conference call
voice class custom-cptone routehub-join
dualtone conference
frequency 1200 1200
cadence 150 50 150 50
telephony-service
! specify max number of conference bridges (based on DSP resources used)
max-conferences 8 gain -6
sdspfarm conference mute-on 11 mute-off 12
sdspfarm units 3
sdspfarm tag 1 mtp001d4567c690
! enable hardware conferencing for CME
conference hardware
CONFERENCING: MEETME
CONFERENCING: ADHOC
PAGING
HUNT GROUP
! configure hunt group sequentially routing calls to the first extension listed and so forth
ephone-hunt 1 sequential
! specify the pilot number for the hunt group
pilot 6701
! list the extensions that will be included in the hunt group
list 6702, 6700
! if there is no answer within 15 seconds forward to voicemail pilot
final 6000
preference 1
timeout 15, 15
BACK TO CME
ephone-dn 14
! specify directory number used for Call Park
number 6002
! specify that a call can be parked for 30 seconds and can support 10 concurrent call parks
park-slot timeout 30 limit 10
name ROUTEHUB CALL PARK
ephone 1
! apply the custom template to an IP phone
ephone-template 1
type 7970
ephone 1
! once completed reset the phone to use the new softkey template
reset
BACK TO CME
! copy the files to the flash on the CME router ; example below for one of the files
uc01tra#copy tftp flash:
Address or name of remote host []? 192.168.10.10
Source filename []? app-b-acd-aa-2.1.2.3.tcl
Destination filename [app-b-acd-aa-2.1.2.3.tcl]
! configure hunt group based on the extension that has been idle the longest
ephone-hunt 1 longest-idle
! pilot number used for the call center support group
pilot 6721
! list the extensions that will be included in the hunt group
list 2001, 2002
timeout 10, 10
! collect statistics for all call activity in this hunt group
statistics collect
telephony-service
! send call stats to the TFTP server and folder
hunt-group report url prefix tftp://192.168.10.10/data
hunt-group report url suffix 0 to 200
! send call stats to the TFTP server every 2 hours
hunt-group report every 2 hours
! copy ring tone file and XML files to flash on CME router via TFTP
copy tftp://192.168.10.10/24.raw flash:
copy tftp://192.168.10.10/ RingList.xml flash:
copy tftp://192.168.10.10/ DistinctiveRingList.xml flash:
! for each file copied configure TFTP entry that will be used by the IP phones
tftp-server flash:RingList.xml
tftp-server flash:DistinctiveRingList.xml
tftp-server flash:24.raw
BACK TO CME
! configure matching logout profile with the same details also include the username & password
voice logout-profile 1
pin 6778
! use this info for Extension Mobility login to load this profile on a phone
user 16778 password 6778
number 6700,A5001,7700,2001 type feature-ring
! associate the logout profile to the actual phone using for listed DNs today
ephone 1
logout-profile 1
telephony-service
! add URL pointing to itself for extension mobility login via the phone services button
url authentication http://192.168.10.1/voiceview/authentication/authenticate.do
PHONE SERVICES
telephony-service
! add the XML URL that will be listed under “Phone Services”
url services http://phone-xml.berbee.com/menu.xml
BACK TO CME
application
! enable TCL script applications
service onramp flash:app_faxmail_onramp.2.0.1.3.tcl
service fax_detect flash:app_fax_detect.2.1.2.2.tcl
param fax-dtmf 2
param mode listen-first
param voice-dtmf 1
BACK TO CME
application
! enable TCL script applications
service onramp flash:app_faxmail_onramp.2.0.1.3.tcl
param fax-dtmf 2
param mode listen-first
param voice-dtmf 1
BACK TO CME
BACK TO CME
PLAR
telephony-service
! configure phone service URL pointing to XML file on web server
url services http://www.routehub.local/menu.xml Phone Services
! reset all phones to use the new Phone services location
restart all
voice-port 0/4/0
auto-cut-through
signal immediate
input gain auto-control -15
description Music On Hold Port
ephone-dn 9
number BCD no-reg primary
description MoH
moh ip 239.10.16.8 port 2139 out-call ABC
* not applicable for incoming call translations only when dialed internally
! when a user dials 6778 it will translate/forward the call to extension 201
num-exp 6778 201
* Monitor: for shared lines to monitor the visible line status indicates whether the line is in-
use or not.
* Watch: to watch all lines on the phone for which this directory number is the primary line
presence
max-subscription 100
presence call-list
ephone-dn 11
number 6701
label 6701 (User1)
! enable DN to be watched by the presence service
allow watch
ephone 1
! phone 1 can monitor DN 6701 configured on DN-11
blf-speed-dial 1 6701 label "Duncan Rockwell"
! configure hunt group that will call to all extensions & numbers listed
voice hunt-group 1 parallel
! list the numbers that will be included in the hunt group
list 6702, 6700, 919252302203
! specify the pilot number for the hunt group
pilot 6701
WHISPER INTERCOM
ephone-dn 10
number 6700
! perform a whisper intercom call to DN 6701 on the IP Phone it will be labled as "User1"
whisper intercom speed-dial 6701 label "User1"
ephone 1
! whisper intercom and DN associated to button number 2
button 1:1 2:10
telephony-service
! block any call that begins with 91 during the schedule defined later
after-hours block pattern 1 91
! any person dialing 900 numbers (24x7) will be blocked
after-hours block pattern 2 91900 7-24
! specify schedule when after-hours starts (7PM) and ends (8AM) for blocking the defined after
! hour rules
after-hours day mon 19:00 8:00
! once the pin number is dialed users can dial all numbers except for 900 numbers
ephone 3
pin 677
telephony-service
! allow call transfers to any destination
transfer-pattern .T
ephone-dn 10
number 6700
! DN 6700 can only forward up to a 4-digit number. Anything beyond that is dropped.
! Example: DN 6700 can forward calls to extension 6701, but not to local or LD number
call-forward max-length 4
ephone 1
button 1:1
* example: two groups (consulting & training) using a different MOH audio stream
telephony-service
! enable MOH for any IP Phone not assigned to a MOH group (default)
moh music-on-hold.au
ephone-dn 10
number 6700
! MOH group 1 assigned to DN 6700 used by a consulting employee
moh-group 1
ephone-dn 11
number 6701
! MOH group 2 assigned to DN 6701 used by a training employee
moh-group 2
HSRP VIP
CME1 192.168.10.1 CME2
.2 .3
192.168.10.0 /24
>>CME1<<
interface fastethernet0/1
! primary HSRP router on CME1
ip address 192.168.10.2 255.255.255.0
standby ip 192.168.10.1
standby priority 150
standby preempt
telephony-service
! HSRP address used for the phone system (SCCP)
ip source-address 192.168.10.1 port 2000
>>CME2<<
interface fastethernet0/1
! secondary HSRP router on CME2
ip address 192.168.10.3 255.255.255.0
standby ip 192.168.10.1
standby priority 100
telephony-service
! HSRP address used for the phone system (SCCP)
ip source-address 192.168.10.1 port 2000
CME1 CME2
.1 .2
192.168.10.0 /24
telephony-service
! specify the primary and secondary CME phone system routers
ip source-address 192.168.10.1 port 2000 secondary 192.168.10.2
GK
WAN/ISP 192.168.11.1
CME1 CME2
.1 192.168.10.0 /24 .2
DN: 6XXX
>>CME1<<
interface loopback0
ip address 192.168.10.1 255.255.255.0
h323-gateway voip interface
! specify IP (and port number) of the gatekeeper router
h323-gateway voip id siteA ipaddr 192.168.11.1 1719
! specify ID that will be used by the gatekeeper
h323-gateway voip h323-id CME1
h323-gateway voip tech-prefix 1#
! specify the IP to use for registering with the gatekeeper
h323-gateway voip bind srcaddr 192.168.10.1
>>CME2<<
interface loopback0
ip address 192.168.10.2 255.255.255.0
h323-gateway voip interface
! specify IP (and port number) of the gatekeeper router
h323-gateway voip id siteA ipaddr 192.168.11.1 1719
! specify ID that will be used by the gatekeeper
h323-gateway voip h323-id CME2
h323-gateway voip tech-prefix 1#
! specify the IP to use for registering with the gatekeeper
h323-gateway voip bind srcaddr 192.168.10.2
>>GK<<
! enable gatekeeper services on the router
gatekeeper
! create local zone for the site with the CME routers and the local IP used for the gatekeeper
zone local TRA routehub.local 192.168.11.1
! primary call routing to IP phones using 6XXX extensions through CME1 (access code of 8)
zone prefix TRA 86... gw-priority 10 CME1
! secondary call routing to IP phones using 6XXX extensions through CME2 (access code of 8)
zone prefix TRA 86... gw-priority 9 CME2
zone gw-type prefix 1# default-technology
! on CME router
telephony-service
! add URL for VoiceView authentication on CME
url authentication http://192.168.10.2/voiceview/authentication/authenticate.do
! enable VoiceView URL on CME accessed under Phone Services
http://192.168.10.2/voiceview/common/login.do
ephone 10
1:14 2:15
! enable MWI red light if a new voicemail comes in on line 2
mwi-line 2
Router(config)# telephony-service
! keeps the backlight turned on instead of turning off
Router(config-telephony)# service phone displayOnWhenIncomingCall 1
First configure the CoR objects which are equivalent to partitions in CUCM
! define CoR objects for the type of calls you want to restrict/permit
dial-peer cor custom
! object/partition for 911 calls
name RHG-P-911
! object/partition for 1-800-XXX-XXXX calls
name RHG-P-TOLL-1800
! object/partition for 1-900-XXX-XXXX calls
name RHG-P-TOLL-1900
! object/partition for local calls
name RHG-P-LOCAL
! object/partition for long distance calls
name RHG-P-LD
! create CoR group for Open areas (e.g. Lobby, Break Room, Kitchen)
dial-peer cor list RHG-CSS-OPEN
! add 911 and local calling partitions
member RHG-P-911
member RHG-P-LOCAL
! create CoR group for Execs (e.g. CEO, VP, Directors, Managers)
dial-peer cor list RHG-CSS-EXEC
! add 911, 1800, 1900, local, & LD partitions
member RHG-P-911
member RHG-P-LOCAL
member RHG-P-TOLL-1800
member RHG-P-TOLL-1900
member RHG-P-LD
Associate COR group to the correct dial peer based on its calling pattern
FXO
PSTN
CME/CUE
.1
DN 6700
802.1q
ACCESS TO CUE
! specify FTP location, username, and password where the CUE files are located
software download server url ftp://192.168.10.10/cue7 username admin password cisco123
! files to download from Cisco software center if using CUE 7.0.x and using CUE on ISE (UC520)
The CUE zip file: cue-cm-k9.ise.7.0.1.zip
The Language pack: cue-vm-en_US-langpack.ise.7.0.1.prt1
The License file: cue-vm-license_50mbx_cme_7.0.1.pkg
BASE CONFIGURATION
BACK TO CUE
BACK TO CUE
telephony-service
! specify voicemail pilot number
voicemail 6000
ephone-dn 10 dual-line
number 6700 no-reg primary
! if a caller calls this DN and the line is busy forward to the voicemail pilot
call-forward busy 6000
! if a caller calls this DN with no answer within 15 seconds forward to the voicemail pilot
call-forward noan 6000 timeout 15
voicemail callerid
! specify default language ; English (US)
voicemail default language en_US
! specify default mailbox size ; 420 seconds
voicemail default mailboxsize 420
voicemail broadcast recording time 300
! specify default voicemail message size; 240 seconds
voicemail default messagesize 240
voicemail notification restriction msg-notification
! specify the directory number to reach the Operator
voicemail operator telephone 0
! route pattern that will match the incoming call and forward to the CUE module
dial-peer voice 600 voip
! specify pattern for CUE services (VM, AA, Prompt management, etc.)
destination-pattern 6...
! specify dial peer as a SIP trunk
session protocol sipv2
! specify IP of CUE device
session target ipv4: 192.168.10.2
dtmf-relay sip-notify
codec g711ulaw
no vad
BACK TO CUE
! Note: the following configuration should be done at the enable mode not config mode
! specify voicemail notification profile name (VM-6700) for user account
! specify the email address to send voicemail messages to
username routehub profile VM-6700 email address vm@routehub.local
! specify voicemail notification using email
username routehub profile VM-6700 email enable
username routehub profile VM-6700 email preference all
! voicemail messages sent via email should be sent as an attachment
username routehub profile VM-6700 email attach
! specify schedule for voicemail notification to 24-hours a day
username routehub profile VM-6700 email schedule day 1 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 2 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 3 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 4 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 5 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 6 active from 01:00 to 24:00
username routehub profile VM-6700 email schedule day 7 active from 01:00 to 24:00
BACK TO CUE
! configure softkey template to include the Live Record (LiveRcd) when a call is connected
ephone-template 1
softkeys connected LiveRcd Confrn Hold Park Trnsfer TrnsfVM
! apply template on the phone profiles that will use Live Record
ephone 1
ephone-template 1
telephony-service
! specify Live Record directory number
live-record 6005
! voicemail pilot number
voicemail 6000
ephone-dn 16
! configure DN 6005
number 6005
! all calls to Live Record are forwarded to the voicemail pilot
call-forward all 6000
! route pattern that will match CUE services to the CUE module
dial-peer voice 600 voip
destination-pattern 6...
session protocol sipv2
session target ipv4:192.168.10.2
dtmf-relay sip-notify
codec g711ulaw
no vad
BACK TO CUE
192.168.10.0 /24
.11
CUCM
DN: 5XX
DID: 209-123-60XX
! all local and LD calls placed from OCS will include a "9"
! at the beginning of the number before being routed to UCM to use the
! correct route pattern and routed to the voice gateway
voice translation-rule 1
rule 1 /^\(1[2-9].........\)$/ /9\1/
rule 2 /^\([2-9].........\)$/ /9\1/
! dial plan used for long distance calling from OCS to UCM/PSTN
dial-peer voice 901 voip
description LD Calling from OCS to CCM (external)
! associate translation profile
translation-profile outgoing RHG-TP-OCS-CCM-external
! route pattern for LD calls
destination-pattern 1[2-9].........
! SIP trunk to UCM server
session protocol sipv2
! define IP of UCM
session target ipv4:192.168.10.10
session transport tcp
! define DTMF
dtmf-relay sip-kpml
! define codec
codec g711ulaw
802.1q
vlan20 Vlan99
Vlan10-12
192.168.20.10 .1
BASE CONFIGURATION
! default gateway
ip default-gateway 192.168.99.1
! configure sub-interface for “management” and used for the native VLAN
interface FastEthernet0.99
! management interface will use VLAN99 to the LAN and will be untagged
encapsulation dot1Q 99 native
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
! associate default bridge group to interface
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface Dot11Radio0
! bring up wireless radio interface
no shutdown
station-role root access-point
! enable 802.11b and 802.11g
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
! let the AP choose the frequency channel that is the least congested
channel least-congested
BACK TO WIRELESS
interface Dot11Radio0
! enable TKIP with WPA
encryption vlan 10 mode ciphers tkip
! associate WLAN SSID for “private” under wireless radio
ssid private
BACK TO WIRELESS
interface Dot11Radio0
! enable WPA2 using AES
encryption vlan 11 mode ciphers aes-ccm
! associate WLAN SSID for “private2” under wireless radio
ssid private2
interface Dot11Radio0
! enable WEP and define the 128bit key for “private-wep” (VLAN102)
encryption vlan 12 key 1 size 128bit 12345678901234567890123456 transmit-key
! using a WEP key is required for association
encryption vlan 12 mode wep mandatory
! associate WLAN SSID for “private-wep” under wireless radio
ssid private-wep
EAP-FAST
802.1q
Vlan13
aaa-server
! create AAA group for RADIUS
aaa-group server radius RHG-AAA-RADIUS
! specify IP of local RADIUS server including the RADIUS key
server-private 192.168.99.10 auth-port 1812 acct-port 1813
key 0 Cisco123
! define AAA authentication to use the AAA group and to use EAP
aaa authentication login eap RHG-AAA-EAP group RHG-AAA-RADIUS
aaa authorization exec default local
ip radius source-interface BVI1
802.1q
Vlan14
aaa-server
! create AAA group for RADIUS
aaa-group server radius RHG-AAA-RADIUS
! specify IP of local RADIUS server including the RADIUS key
server-private 192.168.99.10 auth-port 1812 acct-port 1813
key 0 Cisco123
! define AAA authentication to use the AAA group and to use EAP
aaa authentication login eap RHG-AAA-EAP group RHG-AAA-RADIUS
aaa authorization exec default local
ip radius source-interface BVI1
interface Dot11Radio0
no ip address
ssid RHG-WPA
vlan 10
! enable WLAN MAC filtering on Wireless SSID
authentication open mac-address RHG-MAC-AUTH
interface Dot11Radio0
no ip address
ssid private
ssid private2
! enable MBSSID under wireless interface
mbssid
L2/L3 Switch
802.1q
Vlan10,20,99
802.1q AP
Vlan10,20,99
WLC
! Lightweight AP connected
interface FastEthernet0/3
description rhg-ap03-sj-ca
! enable 802.1Q encapsulation
switchport trunk encapsulation dot1q
! APs will get IP from the management VLAN for communicating with the WLC
switchport trunk native vlan 99
! allow management, public, and private VLANs
switchport trunk allowed vlan 10,20,99
! enable interface as a 802.1q trunk
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
GENERAL ..................................................................................................................................................................293
CISCO ASA 5500 / PIX500 / FWSM ...........................................................................................................................294
CISCO PIX 500 SERIES.................................................................................................................................................323
CISCO CATALYST 6500 SERIES.......................................................................................................................................330
CISCO CATALYST 4500 SERIES.......................................................................................................................................343
CISCO CATALYST 3750 SERIES.......................................................................................................................................345
CISCO CATALYST XL (LEGACY) SERIES .............................................................................................................................346
CISCO ACE SERIES ......................................................................................................................................................348
CISCO NEXUS SERIES (NX-OS) ......................................................................................................................................351
GENERAL ..................................................................................................................................................................293
General ..............................................................................................................................................................293
Enable AUX port on Cisco 800 ......................................................................................................................................... 293
Copy and Install TAR File.................................................................................................................................................. 293
Modules .............................................................................................................................................................293
Using Third-Party Optics in Cisco Devices ........................................................................................................................ 293
GENERAL
line con 0
! enable use of the AUX port
modem enable
! copy, extract, and install tar image with http files and IOS bin
archive tar /xtract tftp://192.168.10.10/c1200-k9w7-tar.123-8.JA2.tar flash:
MODULES
BACK
! unsupported command that allows support for third-party optics (SFP, GBIC)
service unsupported-transceiver
no errdisable detect cause gbic-invalid
GENERAL
BACK
.1 1.1.1.1
BASE CONFIGURATION
! enable logging
logging enable
logging monitor debugging
logging buffered debugging
logging asdm information
! configures IP on the WAN interface and creates an alias on the interface called “outside”
interface Ethernet0
nameif outside
ip address 1.1.1.1 255.255.255.0
! configures IP on the LAN interface and creates an alias on the interface called “inside”
interface Ethernet1
nameif inside
ip address 192.168.10.1 255.255.255.0
STATIC ROUTING
! specify the subnets (on the inside) that can telnet to the firewall
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 60
! configure the private RSA keys on the firewall required for SSH
crypto key generate rsa modulus 1024
! specify the subnets listed (inside and outside) that can ssh into the firewall
ssh 6.7.7.8 255.255.255.255 outside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 40
! allows local user accounts to be used for Telnet and SSH sessions
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ASA IMAGE
! specifies what subnets (inside and outside) can access ASDM on the ASA.
http 192.168.10.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
! specify the ASDM image that will be loaded and used on the ASA
asdm image disk0:/asdm-613.bin
RADIUS
DHCP SERVER
! specifies the DHCP scope for the IP subnet, DNS, WINS, and domain
dhcpd address 192.168.10.0 inside
dhcpd dns 192.168.10.10 4.2.2.2 interface inside
dhcpd wins 192.168.10.10 interface inside
dhcpd domain routehub.local interface inside
dhcpd update dns both override interface inside
interface Ethernet0
nameif outside
security-level 0
! enables PPPoE on “outside” interface using the profile “Internet”
pppoe client vpdn group Internet
ip address pppoe setroute
LDAP
! specify the IP address and port number of LDAP server including where it is located (inside)
aaa-server RHG-AAA-LDAP protocol ldap
aaa-server RHG-AAA-LDAP (inside) host 192.168.10.10
server-port 389
! specify that users can login using their AD username and password
ldap-naming-attribute samAccountName
! specify the location of the user and password for authenticating against the LDAP server
ldap-login-dn cn=Administrator,cn=Users,dc=routehub,dc=local
server-type Microsoft
ldap-login-password cisco123
LAN .1 1.1.1.1
DMZ
192.168.11.0 /24
! tune OSPF neighbor timers for 1 (hello) and 3 (dead) seconds for fast convergence
interface Ethernet1
ip address 192.168.10.1 255.255.255.0
nameif inside
ospf hello-interval 1
ospf dead-interval 3
ISP2
1.2.2.1
ISP1
.1 1.1.1.1
! applies track ID to the primary default route. If the probe fails the route is removed
route outside-isp1 0.0.0.0 0.0.0.0 1.1.1.2 10 track 1
! copy ASA file (e.g. ASA OS, ASDM) from FTP server to local flash (disk0)
copy ftp://cisco:cisco123@192.168.10.10 disk0:
BACK TO CISCO ASA/PIX/FWSM
802.1q
vlan10 VLAN 10, 11 .1
192.168.10.10
vlan11
192.168.11.10
LAN .1 1.1.1.1
DMZ
192.168.11.0 /24
interface Ethernet0/1
nameif RHG-LAN
security-level 100
ip address 192.168.10.1 255.255.255.0
! enable RIP MD5 authentication
rip authentication mode md5
! configure password
rip authentication key cisco123 key_id 1
! reload ASA
reload save-config noconfirm
! define the ASA banner to display upon login to the ASA appliance
banner exec **WARNING**
banner exec YOU ARE ATTEMPTING TO LOG INTO A PRIVATE SYSTEM.
banner exec AUTHORIZED USERS ONLY!!
banner exec ALL UNAUTHORIZED USE WILL BE PROSECUTED TO THE
banner exec FULLEST EXTENT OF THE LAW!!
INSTALL A LICENSE
DNS REQUESTS
! static NAT will provide the internal IP if accessing this Public IP from the inside network
static (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255 dns
ACTIVE/PASSIVE FAILOVER
>>Primary ASA<<
! on primary ASA configure the outside interface IP for the primary and secondary ASA
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2
! configure the inside interface IP for the primary and secondary ASA
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
! configure the DMZ interface IP for the primary and secondary ASA
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 60
ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
! interface used between the ASA’s for failover and exchanging state information
interface Ethernet0/3
description LAN/STATE Failover Interface
! enable failover and ASA and indicate that this will be our primary ASA
failover
! specify this as the primary firewall
failover lan unit primary
! specify the failover and state interface that will be used
failover lan interface failover Ethernet0/3
failover link failover Ethernet0/3
! configure a key shared between the two ASA firewalls
failover key cisco6778
! configure the failover interface IP for the primary and secondary ASA
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
! configure firewall policy to allow any Internet host to access web server (using 1.1.1.10)
access-list ingress-acl extended permit tcp any host 1.1.1.10 eq 80
! configures a group listing TCP and UDP ports such as WWW (TCP/80)
object-group service RHG-APPS tcp-udp
port-object eq www
! configures firewall policy using the object groups allowing any Internet host to access the web
! server located at 1.1.1.10. Or any web service from the 1.1.2.0 network
access-list ingress-acl extended permit tcp any object-group RHG-SERVERS1 object-group RHG-APPS
access-list ingress-acl extended permit tcp any object-group RHG-SERVERS2 object-group RHG-APPS
! configures PAT (NAT Overload) using the IP configured on the “outside” interface
global (outside) 1 interface
! any inside host on the LAN will use the IP on the “outside” for Internet access
nat (inside) 1 192.168.10.0 255.255.255.0
STATIC NAT
192.168.10.0 /24
.1 1.1.1.1
1.1.1.10
6.7.7.0 /24
.10
! configures a static translation where inside host 192.168.10.10 is mapped to Public IP 1.1.1.10
static (inside,outside) 1.1.1.10 192.168.10.10 netmask 255.255.255.255
192.168.10.0 /24
.1 1.1.1.1
6.7.7.0 /24
.10
! any access to the IP configured on the “outside” interface for HTTPS (TCP/443) will be
redirected to the inside server of 192.168.10.10.
static (inside,outside) tcp interface https 192.168.10.10 https netmask 255.255.255.255
.1 1.1.1.1
! ACL that specifies what networks can be accessed across the SSL VPN tunnel once established
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
! ACL that specifies that the LAN subnet and VPN subnet should not use NAT
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
! specifies the IP addresses that should be assigned to SSL VPN users once logged in
ip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0
! configure group policy for SSL VPN, DNS servers, and enable split tunnel ACL policy
group-policy RHG-GP-SSL internal
group-policy RHG-GP-SSL attributes
dns-server value 192.168.10.10
vpn-tunnel-protocol webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value routehub.local
webvpn
! SSL VPN SVC Tunnel Mode is required for the connecting
svc required
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
! configures a local user account on the ASA used for client login
username user1 password cisco123
! configures tunnel group for SSL VPN which includes the address pool
tunnel-group RHG-TG-SSL type remote-access
tunnel-group RHG-TG-SSL general-attributes
address-pool routehub-pool
default-group-policy RHG-GP-SSL
.1 1.1.1.1
! ACL that specifies what networks can be accessed across the VPN tunnel once established
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
! ACL that specifies that the LAN subnet and VPN subnet should not use NAT
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
! specifies the IP addresses that should be assigned to VPN users once logged in
ip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0
! enabled NAT-T
crypto isakmp nat-traversal 300
! enable ISAKMP policy (IKE Phase 1) on the “outside” using 3DES and MD5
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! configure dynamic IPSec policy for remote access using the IPSec transform policy
crypto dynamic-map RHG-DMAP-VPN 10 set transform-set RHG-TS-3DES-MD5
! configure IPSec policy (IKE Phase 2) associating the dynamic IPSec policy ; use ID 65535
crypto map RHG-VPN 65535 ipsec-isakmp dynamic RHG-DMAP-VPN
! enable IPSec VPN on the “outside”
crypto map RHG-VPN interface outside
! configure group policy for SSL VPN, DNS servers, and enable split tunnel ACL policy
group-policy RHG-GP-VPN internal
group-policy RHG-GP-VPN attributes
dns-server value 192.168.10.10 4.2.2.2
vpn-idle-timeout 30
vpn-session-timeout 480
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value routehub.local
! specifies the “Group Authentication Name” (ROUTEHUB) for the VPN client program
tunnel-group ROUTEHUB type remote-access
tunnel-group ROUTEHUB general-attributes
! associates address pool to use
address-pool routehub-pool
! authenticate users against RADIUS server (IAS)
authentication-server-group IAS
default-group-policy RHG-GP-VPN
.1 1.1.1.1 2.2.2.2 .1
>>Site #1<<
! WAN interface (outside) configured on ASA at Site #1
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.252
speed 100
duplex full
nameif outside
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list ACL-NONAT
! enable ISAKMP policy (IKE Phase 1) on the “outside” using 3DES and MD5
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! specifies the LAN subnets at Site #1 that will communicate with LAN subnets at Site #2
access-list RHG-ACL-VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
! configure IPSec policy (IKE Phase 2) for connecting with ASA at Site #2 ; use ID 10
crypto map vpn 10 match address RHG-ACL-VPN
crypto map vpn 10 set pfs
crypto map vpn 10 set peer 2.2.2.2
! apply the IPSec transform policy
crypto map vpn 10 set transform-set RHG-TS-ESP-MD5
! enable IPSec on the WAN interface (outside)
crypto map vpn interface outside
>>Site #2<<
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list ACL-NONAT extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list ACL-NONAT
! enable ISAKMP policy (IKE Phase 1) on the “outside” using 3DES and MD5
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! specifies the LAN subnets at Site #2 that will communicate with the LAN subnets at Site #1
access-list RHG-ACL-VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
! enable IPSec policy (IKE Phase 2) using an ID of 10 for connecting with ASA at Site #1
crypto map vpn 10 match address RHG-ACL-VPN
crypto map vpn 10 set pfs
crypto map vpn 10 set peer 1.1.1.1
! apply the IPSec transform policy
crypto map vpn 10 set transform-set RHG-TS-ESP-MD5
! enable IPSec on the WAN interface (outside)
crypto map vpn interface outside
Cisco ASA
Firewall Cisco IOS
Router
.1 1.1.1.1 2.2.2.2 .1
>>Site #1<<
! WAN interface (outside) configured on ASA at Site #1
interface Ethernet0/0
ip address 1.1.1.1 255.255.255.252
speed 100
duplex full
nameif outside
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list ACL-NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list ACL-NONAT
! enable ISAKMP policy (IKE Phase 1) on the “outside” using 3DES and MD5
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
! configure IPSec policy (IKE Phase 2) for connecting with ASA at Site #2 ; use ID 10
crypto map vpn 10 match address RHG-ACL-VPN
crypto map vpn 10 set pfs group2
crypto map vpn 10 set peer 2.2.2.2
! apply the IPSec transform policy
crypto map vpn 10 set transform-set RHG-TS-ESP-MD5
! enable IPSec on the WAN interface (outside)
crypto map vpn interface outside
>>Site #2<<
! ISAKMP policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
! specifies the LAN subnets at Site #2 that will communicate with LAN subnets at Site #1
access-list 112 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
! LAN subnets at Site #2 communicating with LAN subnets at Site #1 will not use NAT
access-list 110 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
! WAN interface
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.0
! apply IPSec VPN policy
crypto map vpn
.1 1.1.1.1
! ACL that specifies that the LAN subnet and VPN subnet should not use NAT
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list nonat
! specifies the IP addresses that should be assigned to VPN users once logged in
ip local pool routehub-pool 192.168.100.10-192.168.100.13 mask 255.255.255.0
! specify Microsoft IAS RADIUS server (192.168.10.10) and the shared key for user login
aaa-server RADIUS protocol radius
aaa-server IAS protocol radius
aaa-server IAS host 192.168.10.10
timeout 5
key cisco123
MONITOR
show isa sa
show crypto ipsec sa
show isakmp ipsec-over-tcp stats
show isakmp stats
show isakmp ipsec stats
show crypto protocol statistics ipsec
show crypto accelerator statistics
show vpn-sessiondb summary
show vpn-sessiondb l2l
show vpn-sessiondb remote
show vpn-sessiondb full remote
BACK TO CISCO ASA/PIX/FWSM
LAN .1 1.1.1.1
.10
192.168.10.0 /24 .1 6.7.7.0 /24
DMZ
192.168.11.0 /24
USING PPTP
! apply PPTP class map under the global policy map for PPTP traffic to be inspected
policy-map global_policy
class ROUTEHUB-CLASS-VPDN
inspect pptp
BACK TO CISCO ASA/PIX/FWSM
vlan198 vlan198
802.1q 802.1q
vlan298 vlan298
passwd cisco123
enable password cisco123
PROXY ARP
MONTIOR
.1 1.1.1.1
BASE CONFIGURATION
! configures PAT for all hosts on the LAN (inside) to use the IP configured on the WAN (outside)
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
DHCP
FAILOVER
.1 1.1.1.1
! ACL that specifies what networks can be accessed across the VPN tunnel once established
access-list 108 permit ip any 192.168.10.0 255.255.255.0
! ACL that specifies that the LAN subnet and VPN subnet should not use NAT
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 100
! specify Cisco ACS using TACACS+ (192.168.1.15) and the shared key
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.1.15 cisco123 timeout 10
! configure IPSec policy for VPN users and will be authenticated against the TACACS+ server
crypto dynamic-map dynmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client configuration address respond
crypto map newmap client authentication TACACS+
! enable IPSec on the WAN interface (outside)
crypto map newmap interface outside
! configures vpn group for the address pool, DNS, and default domain name clients will use
! This also specifies the Group Authentication Name (vpn-client) for the VPN client program
vpngroup vpn-client address-pool vpn
vpngroup vpn-client dns-server 192.168.10.10
vpngroup vpn-client default-domain routehub.local
! specifies what subnets VPN users can access once connected (split tunnel ACL)
vpngroup vpn-client split-tunnel 108
vpngroup vpn-client idle-time 1800
! specifies the “Group Authentication Password” needed for the VPN client program
vpngroup vpn-client password cisco123
BACK TO CISCO PIX 500 SERIES
.1 1.1.1.1
! specifies the IP addresses that should be assigned to PPTP users once logged in
ip local pool pptp-pool 192.168.100.10-192.168.100.100
! specify RADIUS server (192.168.1.5) and the shared key used for PPTP user login
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.10.11 radius-key timeout 5
! configures VPDN profile for PPTP and enables CHAP and MSCHAP PPP authentication
vpdn group 1 accept dialin pptp
! specify DNS server to use
vpdn group 1 client configuration dns 192.168.10.10
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
! associated IP address pool to PPTP VPDN profile
vpdn group 1 client configuration address local pptp-pool
! user authentication through RADIUS server
vpdn group 1 client authentication aaa RADIUS
.1 1.1.1.1 2.2.2.2 .1
! LAN subnets at Site #1 communicating with LAN subnets at Site #2 will not use NAT
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list 100
show isakmp sa
show crypto ipsec sa
show crypto interface
BACK TO CISCO PIX 500 SERIES
GENERAL
BACK
! makes one of the power supplies active while the other is a backup
power redundancy-mode redundant
MONITOR
! shows line module speed, fabric status, hotstandby support, and more
show fabric status
SYSTEM SWITCHOVER
PC 1 PC 2
VSL 1 VSL 2
tenGE: 1/4-5
PC 3
GE 1/1
Vlan 10
VSS
> STEP 1
! single domain ID shared with all VSS switches
switch virtual domain 100
! specify switch ID in VSS cluster
switch 1
! this will be our primary VSS switch
switch 1 priority 110
! switch 2 will be our secondary VSS switch
switch 2 priority 100
At this time the switch will restart to merge the two switches configuration,
renumber the interfaces from slot/port to switch-number/port/slot, and
the negotiation of the active and standby roles through NSF/SSO
> STEP 3
! completes conversion process which will bring VSL configuration from
! standby switch and populate it into the running config
switch accept mode virtual
! put a port from switch1 and switch2 into the port-channel group
interface range tenGigabitEthernet 1/2/2, tenGigabitEthernet 2/2/2
switchport
channel-group 3 mode desirable
no shutdown
vlan 10
name SF1
vlan 20
name SF2
interface vlan10
ip address 192.168.10.1 255.255.255.0
no shutdown
interface vlan20
ip address 192.168.20.1 255.255.255.0
no shutdown
> STEP 1
! single domain ID shared with all VSS switches
switch virtual domain 100
! specify switch ID in VSS cluster
switch 2
! switch 1 will be our primary VSS switch
switch 1 priority 110
! this switch will be our secondary VSS switch
switch 2 priority 100
At this time the switch will restart to merge the two switches configuration,
renumber the interfaces from slot/port to switch-number/port/slot, and
the negotiation of the active and standby roles through NSF/SSO.
After the reboot is completed the console on the standby VSS switch will be disabled
All further configuration is done on the primary VSS switch
vlan 10
name SF1
vlan 20
name SF2
! make sure the new IOS image is copied to both the primary and secondary VSS switches flash
! memory specify boot variable for new image IOS image
boot system flash sup-bootdisk:new-image.bin
! After the secondary VSS is booted up with the new IOS image verify the peer relationship
! between Supervisors are in a SSO state (Hot standby)
! The VSS cluster should now be operating at 100% bandwidth capacity
show switch virtual redundancy
! verify current eFSU state, which should reflect "Load Version" next to ISSU
show issu state
! When secondary VSS is booted up completely run "issu runversion" command to cause
! the supervisor/chassis switchover, so the secondary VSS switch can be the active VSS switch
! while switch1 is being reloaded.
! Switchover will cause ~200msec traffic loss
issu runversion 2/1
! If the new IOS image is good accept the new IOS version
! If it is not accepted within the rollback timer, the eFSU software upgrade will terminate
! and go back to the older IOS image
issu acceptversion 2/1
! Final step which will reload switch1 to run the new IOS image.
! At this point the VSS cluster will operate at 50% bandwidth capacity until
! switch1 comes back up
issu commitversion
Core
Access
Gi3/1
192.168.10.0 /24
Note: doesn't impact rate limiting to user, only rate limiting from user
Core
Access
Gi3/1
192.168.10.0 /24
Note: this will rate limit traffic to and from the user
! add VLAN that will be used for the FWSM (on slot 4)
vlan 100
name FWSM-OUTSIDE
vlan 101
name FWSM-INSIDE
INTERFACES
! Configure interface, IP, and security zones for WAN interface (outside)
interface Vlan100
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
! Configure interface, IP, and security zones for LAN interface (inside)
interface Vlan101
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
! associate VLANs for inside & outside interfaces to FWSM (located in slot 4)
firewall vlan-group 1 10-11
firewall module 4 vlan-group 1 10-11
FAILOVER
failover
failover lan unit primary
failover lan interface failover vlan 100
failover polltime unit msec 500 holdtime 3
failover polltime interface 3
failover interface-policy 100%
failover replication http
failover link state vlan 101
failover interface ip failover 9.9.9.1 255.255.255.252 standby 9.9.9.2
failover interface ip state 9.9.8.1 255.255.255.252 standby 9.9.8.2
NAM
! specify the VLANs the NAM module will capture on the switch
analysis module 7 data-port 1 capture allowed-vlan 10,100
analysis module 7 data-port 2 capture allowed-vlan 11,101-102
! makes one of the power supplies active while the other is a backup
power redundancy-mode redundant
policy-map DBL
class class-default
dbl
interface GigabitEthernet2/1
! trust DSCP marking of connected host
qos trust dscp
! apply QoS DBL inbound on switchport
service-policy input DBL
interface GigabitEthernet6/14
! trust DSCP marking of connected host
qos trust dscp
! QoS TX queuing
tx-queue 1
bandwidth percent 5
tx-queue 2
bandwidth percent 25
tx-queue 3
bandwidth percent 30
priority high
shape percent 30
tx-queue 4
bandwidth percent 40
! apply QoS DBL outbound on switchport
service-policy output DBL
STACK MASTER
Group: EPD
Commander
0006.d743.a4c0
Member
Member
Access Switch #13
000a.8a85.d9c0
When using the stack feature among a group of Cisco Catalyst XL series switches there
is a single CONTROLLER switch which controls the stack.
COMMANDER:
! Define cluster name and ID
cluster enable epd 0
! list all member switches in the cluster using the MAC-address for that switch
cluster member 1 mac-address 0006.53c5.2440
cluster member 2 mac-address 0006.d743.89c0
cluster member 3 mac-address 000b.5f76.ef80
cluster member 4 mac-address 0006.53c5.1d00
cluster member 5 mac-address 0006.53c4.cb40
cluster member 6 mac-address 0006.28d4.2f40
cluster member 7 mac-address 0005.dd40.4540
cluster member 8 mac-address 0006.53c5.2340
cluster member 9 mac-address 0005.dd44.d740
cluster member 10 mac-address 0006.d7a4.a980
cluster member 11 mac-address 0009.4493.2f00
cluster member 12 mac-address 0009.b751.6e8
cluster member 13 mac-address 000a.8a85.d9c0
ROUTED MODE
Server Farm
VIP: 192.168.20.10
WEB02TRA
.12
! class map defining the VIP for the web server farm
class-map match-all RHG-CLASS-VIP-WEB
! create VIP for TCP/80
2 match virtual-address 192.168.20.10 tcp eq www
MANAGEMENT TRAFFIC
L2 INTERFACE
interface e1/1
! enables L2 interface
switchport
switchport access vlan 10
switchport mode access
L3 INTERFACE
interface e1/1
! enables L3 interface
no switchport
ip address 10.1.1.1/24
SAVING CONFIGURATION
ALIAS
! dedicate 10GE for the port, but disabled ports 3,5,& 7 on slot 1
interface e1/1
rate-mode dedicated
NX-1
VLAN 10
192.168.10.1
ACCESS/EDGE PORT
NX-1
e2/1
vlan10 VLAN 10
192.168.10.1
192.168.10.10 /24
interface e2/1
switchport
! place interface into VLAN 10
switchport access vlan 10
switchport mode access
NX-1 NX-2
802.1Q Trunking
e1/1 VLAN tags: 10 e1/1
e2/1
vlan10 vlan10
VLAN 10
192.168.10.1
interface e1/1
switchport
! specify native VLAN (untagged)
switchport trunk native vlan 999
! specify what VLAN tags are allowed
switchport trunk allowed vlan 10
switchport mode trunk
NX-1
e2/1
vlan10
192.168.10.10 /24
interface e2/1
! specify that this interface is for hosts (e.g. desktops, servers)
spanning-tree port type edge
STORM CONTROL
interface ethernet1/1
! restricts no more than 20% of the interface’s bandwidth to broadcast traffic
storm-control broadcast level 20
UDLD
NX-1 NX-2
PC
e1/1-2 e1/1-2
e1/3 e1/3
Copper Gig Ports
interface e1/1-2
! enable for Port Channeling ports between switches
udld aggressive
interface e1/3
! enable for Copper ports between switches
udld enable
MAC AGING
! configure the global aging time for MAC addresses on the Nexus switch
mac address-table aging-time 120
! configures a static entry for the MAC address, switch port and VLAN it should be associated to
mac address-table static 1234.5678.9ABC vlan 10 interface ethernet 1/10
e1/2 e1/2
VLAN 10
.1 .2
e1/2 e1/2
10.1.1.0 /30
EIGRP
EIGRP ASN 1
vlan10 e1/1 e1/1
.1 .1 10.1.1.0 /24 .2
192.168.10.0 /24
! specify the EIGRP routes we want to recieve from other EIGRP routers
ip prefix-list PL-EIGRP-IN seq 10 permit 0.0.0.0/0
interface e1/1
no switchport
ip address 10.1.1.1/24
! interface network (10.1.1.0/24) added to EIGRP ASN 1
ip router eigrp 1
! enable MD5 authentication and associate key-chain to interface for EIGRP
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 SEIGRP
! associate prefix-list to only advertise the routes listed in the prefix-list to all neighbors
ip distribute-list eigrp 1 prefix-list PL-EIGRP-OUT out
! associate prefix-list to only receive the routes listed in the prefix-list
ip distribute-list eigrp 1 prefix-list PL-EIGRP-IN in
! summarizes all subnets within 192.168.x.x to 192.168.0.0/16 to Core
ip summary-address eigrp 1 192.168.0.0/16
interface Vlan10
ip address 192.168.10.1/24
! interface network (192.168.10.0/24) added to EIGRP ASN 1
ip router eigrp 1
! disables EIGRP routing on interface
ip passive-interface eigrp 1
! specify the EIGRP routes we want to receive from other EIGRP routers
ip prefix-list PL-EIGRP-IN seq 10 permit 10.1.1.0/24
ip prefix-list PL-EIGRP-IN seq 11 permit 192.168.0.0/16
interface e1/1
no switchport
ip address 10.1.1.1/24
! interface network (10.1.1.0/24) added to EIGRP ASN 1
ip router eigrp 1
! enable MD5 authentication and associate key-chain to interface for EIGRP
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 SEIGRP
! associate prefix-list to only advertise the routes listed in the prefix-list to all neighbors
ip distribute-list eigrp 1 prefix-list PL-EIGRP-OUT out
! associate prefix-list to only receive the routes listed in the prefix-list
ip distribute-list eigrp 1 prefix-list PL-EIGRP-IN in
router eigrp 1
address-family ipv4 unicast
! enable non-stop forwarding for EIGRP
graceful-restart
timers nsf converge 180
timers nsf route-hold 200
show ip route
show ip eigrp neighbors
vlan11
192.168.11.0 /24
! specify the OSPF routes we want to receive from other OSPF routers
ip prefix-list PL-OSPF-IN seq 10 permit 0.0.0.0/0
interface Vlan10
ip address 192.168.10.1/24
! interface network (192.168.10.0/24) added to OSPF Area 10
ip router ospf 2 area 10
! disables OSPF routing on interface
ip ospf passive-interface
interface Vlan11
ip address 192.168.11.1/24
! interface network (192.168.11.0/24) added to OSPF Area 10
ip router ospf 2 area 10
! disables OSPF routing on interface
ip ospf passive-interface
! specify the OSPF routes we want to receive from other OSPF routers
ip prefix-list PL-OSPF-IN seq 10 permit 10.1.1.0/24
ip prefix-list PL-OSPF-IN seq 11 permit 192.168.0.0/16
show ip route
HSRP
802.1Q Trunking
e1/1 VLAN tags: 10 e1/1
VLAN 10 VLAN 10
192.168.10.2 192.168.10.3
VIP: 192.168.10.1 VIP: 192.168.10.1
vlan10
192.168.10.10 /24
interface Vlan10
ip address 192.168.10.2/24
! configure HSRP group 1
hsrp 1
! virtual IP address used as default gateway for devices
ip 192.168.10.1
! this is the primary HSRP router
priority 110
preempt delay minimum 180
! MD5 authentication and password
authentication md5 key-string Cisco123
! set hello timer to 1 second & hold timer to 3 seconds
timers 1 3
interface Vlan10
ip address 192.168.10.3/24
! configure HSRP group 1
hsrp 1
! virtual IP address used as default gateway for devices
ip 192.168.10.1
preempt
! MD5 authentication and password
authentication md5 key-string Cisco123
! set hello timer to 1 second & hold timer to 3 seconds
timers 1 3
show hsrp
NX-1
e1/1 Network
1.1.1.1
192.168.10.0 /24
! ACL policy
ip access-list RHG-ACL
10 permit udp any 192.168.10.10/32 eq snmp
20 permit tcp any 192.168.10.10/32 eq 443
30 permit tcp any 192.168.10.10/32 eq 80
40 permit tcp any 192.168.10.10/32 eq 25
interface e1/1
ip address 1.1.1.1/24
! enable ACL inbound on interface
ip access-group RHG-ACL in
! ACL to specify what networks and services can use the management context
ip access-list ACL-MGMT
! any host on the 192.168.10.0 subnet can SSH to Nexus
10 permit tcp 192.168.10.0/24 any eq 22
! only NMS server (.10) can query SNMP from Nexus
20 permit udp 192.168.10.10/32 any eq snmp
! allow ICMP to Nexus from any network
30 permit icmp any any
interface mgmt 0
! ACL applied to management interface
ip access-group ACL-MGMT in
! configure IP and mask for Management interface
ip address 192.168.99.2/24
NTP
LOGGING (SYSLOG)
TELNET
! enable Telnet
feature telnet
VTY
line vty
! specifies Telnet/SSH time out to 15 minutes
session-limit 15
exec-time 15
! enable TACACS+
feature tacacs+
! disable Telnet (recommended)
no feature telnet
! enable RADIUS
feature radius
! enable RADIUS for user authentication on the Nexus then local DB as fall back
aaa authentication login default group RHG-AAA
! enable RADIUS authentication through console port
aaa authentication login console group RHG-AAA
! enable RADIUS accounting on Nexus switch
aaa accounting default group RHG-AAA
LINE CARD ID
SYSTEM SWITCHOVER
NX-5000 NX-2000
e1/10 FEX 100
e1/11
interface Ethernet1/10
! enable interface as a fabric extender port
switchport mode fex-fabric
! associate interface to fex group created
fex associate 100
interface Ethernet1/11
! enable interface as a fabric extender port
switchport mode fex-fabric
! associate interface to fex group created
fex associate 100
show fex
sh int ex/x fex-intf
interface Ethernet1/10
! enable interface as a fabric extender port
switchport mode fex-fabric
! associate interface to fex group created
fex associate 101
! associate interface to port channel group
channel-group 101
interface Ethernet1/11
! enable interface as a fabric extender port
switchport mode fex-fabric
! associate interface to fex group created
fex associate 101
! associate interface to port channel group
channel-group 101
show fex
sh int ex/x fex-intf
VPC
PC 10
NX-1 (Primary) VPC keepalive NX-2 (Secondary)
e1/1-2 10.1.1.0 /30 e1/1-2
.1 .2
e1/3-4 e1/3-4
PC 11
e3/1 VPC peer e3/1
PC 201
>>NX-1<<
! enable vPC
feature vpc
>>NX-2<<
! enable vPC
feature vpc
e4/1
e7/1
e7/3
! hostname on Nexus
hostname RHG
NX-1 NX-2
192.168.11.0 /24
192.168.11.0 /24
! enable OTV
feature otv
SERIAL DS3
.1 1.1.1.1
HSSI
.1 1.1.1.1
interface Hssi1/0
ip address 1.1.1.1 255.255.255.0
! specify correct encapsulation to use
encapsulation ppp
serial restart-delay 0
.1 1.1.1.1
interface Serial0/1
ip address 1.1.1.1 255.255.255.0
! specify encapsulation to use
encapsulation ppp
fair-queue
! specify T1 clock source
service-module t1 clock source internal
! specify number of T1 channels (up to 24 channels)
service-module t1 timeslots 1-24
.1 1.1.1.1
network-clock-participate wic 0
network-clock-select 1 T1 0/0/0
T1 USING CAS
controller T1 1/0
framing esf
linecode b8zs
! enables CAS for digital signaling for T1 circuit
ds0-group 0 timeslots 1-4 type e&m-wink-start
ATM PVC
10.1.1.1 /30
1
/0. 0
TM2 .1 /3
A 1.1
.
10
ATM2/0.2
R1 10.1.2.1 /30
A
10 TM2 10.1.2.2 /30
.1.
3.1 /0.3
/30
10.1.3.2 /30
T-3 MUX
R1
10.1.1.2 /30
10.1.1.1
T3
10.1.2.1
AGG-1
R2
MUX
10.1.28.1 10.1.2.2 /30
T3 = 28 T1s
R28
10.1.28.2 /30
.....
.1 1.1.1.1
interface POS4/0
description OC-12
bandwidth 622000
ip address 1.1.1.1 255.255.255.0
crc 16
OR
interface POS4/0
description OC-3
bandwidth 155000
ip address 1.1.1.1 255.255.255.0
crc 16
3G
Auto IP
.1
MLPPP
.1 1.1.1.1
interface Serial0/0/0:0
no ip address
! enable PPP encapsulation
encapsulation ppp
! enable MLPPP and add to group 1
ppp multilink
ppp multilink group 1
interface Serial0/0/1:0
no ip address
! enable PPP encapsulation
encapsulation ppp
! enable MLPPP and add to group 1
ppp multilink
ppp multilink group 1
.1 1.1.1.1
interface Serial0
no ip address
! enable PPP encapsulation
encapsulation ppp
no fair-queue
! enable MLPPP
ppp multilink
! add to group 1
multilink-group 1
interface Serial1
no ip address
! enable PPP encapsulation
encapsulation ppp
no fair-queue
! enable MLPPP
ppp multilink
! add to group 1
multilink-group 1
WAN
2.2.2.2 .2 10.1.1.0 /24 .1 1.1.1.1
DLCI DLCI
200 100
interface Serial0/0
ip address 10.1.1.1 255.255.255.0
! enable Frame Relay
encapsulation frame-relay IETF
! configure OSPF network for NBMA Frame relay network
ip ospf network point-to-multipoint
! define Frame relay map to destination router using local DLCI of 100
frame-relay map ip 10.1.1.2 100 broadcast
! disable Inverse-ARP for Frame Relay
no frame-relay inverse-arp
! specify LMI type of ANSI
frame-relay lmi-type ansi
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
WAN
2.2.2.2 .2 10.1.1.0 /24 .1 1.1.1.1
DLCI DLCI
200 100
router ospf 1
network 10.1.1.0 0.0.0.3 area 0
.1 1.1.1.1
interface Serial0/0/1:0
no ip address
encapsulation frame-relay MFR0
no arp frame-relay
frame-relay multilink lid link2
.1 Auto
interface Serial0/0/0
ip address 1.1.1.1 255.255.255.0
! enable Frame relay
encapsulation frame-relay IETF
! configure T1 and timeslots
service-module t1 timeslots 1-24
service-module t1 fdl both
! specify Frame relay LMI type
frame-relay lmi-type ansi
interface Virtual-Template1
! IP negotiated once authenticated
ip address negotiated
! configure CHAP username and password
ppp chap hostname user@realm
ppp chap password 0 cisco123
! PPP IPCP configuration
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
! default gateway
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
.1 Auto
.1 Auto
.1 Auto
PPPoE Pool:
192.168.11.10 -
192.168.11.19
Server
FE0/0
10.1.1.1 /30
PPPoE
FE0/0
dynamic
Client
FE0/1 .1
192.168.20.0/24
hostname pppoe-server
! enable VPDN
vpdn enable
no vpdn logging
ip classless
no ip http server
Monitor:
show vpdn
show ip interface brief
show ip address outside pppoe
show vpdn tunnel pppoe
show vpdn session pppoe
show vpdn pppinterface
show vpdn group
show vpdn username
hostname pppoe-client
! enable VPDN
vpdn enable
no vpdn logging
! define dialer list to permit any IP traffic to use the dialer interface
dialer-list 1 protocol ip permit
ip classless
no ip http server
! NAT Overload (PAT) configuration using the IP assigned to the dialer interface
ip nat inside source list 1 interface Dialer1 overload
! default gateway pointing to the PPPoE server through the dialer1 interface
ip route 0.0.0.0 0.0.0.0 dialer1
interface GigabitEthernet1/1
! ensures no additional delay in the notification of a down link for interface
carrier-delay msec 0
IP EVENT DAMPENING
Control the rate in which the interface state changes are propagated to the routing
protocols in the event of a flapping link condition. This should be enabled on all L3
interfaces on the LAN/Campus network.
interface GigabitEthernet1/1
dampening
INTERFACES (L3)
interface GigabitEthernet1/1
no ip redirects
no ip unreachables
no ip proxy-arp
interface GigabitEthernetX/Y
description L2 port
switchport
carrier-delay msec 0
interface GigabitEthernet1/1
description Untrusted facing interface
ip verify unicast reverse-path
BASE CONFIGURATION.................................................................................................................................................404
Cisco Catalyst Switches .................................................................................................................................................... 404
Cisco Routers ................................................................................................................................................................... 406
StandAlone Cisco Access Point (AP)................................................................................................................................. 408
TEMPLATES ...............................................................................................................................................................411
QoS.....................................................................................................................................................................411
QoS on WAN Router (I) .................................................................................................................................................... 411
QoS on Internet Edge ...................................................................................................................................................... 412
QoS on WAN Router (II) ................................................................................................................................................... 413
hostname RHG-CS01-TRA-CA
vtp domain ROUTEHUB
ip domain-name ROUTEHUB
banner motd ^C
-------------------------------------------------------------
This system is for ROUTEHUB GROUP use only!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service tcp-small-servers
no service udp-small-servers
service sequence-numbers
no aaa new-model
no ip subnet-zero
ip routing
mls qos
ip tcp synwait-time 10
ip telnet quiet
ip telnet hidden addresses
no cdp run
ip classless
no ip http server
ip domain-name routehub.local
crypto key generate rsa general-keys modulus 2048
ip ssh time-out 15
ip ssh version 2
line con 0
exec-timeout 15 0
password cisco123
logging synchronous
line vty 0 4
exec-timeout 15 0
login local
transport input telnet
transport output all
hostname cs-cs01-mp-ca
vtp domain ROUTEHUB
ip domain-name ROUTEHUB
banner motd ^
-------------------------------------------------------------
This system is for ROUTEHUB GROUP use only!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no aaa new-model
no ip subnet-zero
no ip bootp server
no ip domain lookup
ip tcp synwait-time 10
ip telnet quiet
ip telnet hidden addresses
no cdp run
line con 0
exec-timeout 15 0
password cisco123
logging synchronous
line vty 0 4
exec-timeout 15 0
login local
transport input telnet
transport output all
>> on switch
hostname cs-cs01-mp-ca
vlan 10
name RHG-VLAN-WLAN-PROD
vlan 110
name RHG-VLAN-WLAN-GUEST
vlan 99
name RHG-VLAN-WLAN-MGMT
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,99,110
switchport mode trunk
hostname rhg-ap01-sf-ca
interface BVI1
ip address 192.168.99.21 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no shutdown
ip default-gateway 192.168.99.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
ip subnet-zero
no aaa new-model
dot11 network-map
dot11 arp-cache
line vty 0 4
login local
bridge irb
interface Dot11Radio0
no shutdown
encryption vlan 110 mode ciphers tkip
encryption vlan 10 mode ciphers tkip
ssid rhgpublic
ssid rhgwlan
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.110
encapsulation dot1Q 110
no ip route-cache
no cdp enable
bridge-group 110
bridge-group 110 subscriber-loop-control
bridge-group 110 block-unknown-source
no bridge-group 110 source-learning
no bridge-group 110 unicast-flooding
bridge-group 110 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
interface FastEthernet0.110
encapsulation dot1Q 110
no ip route-cache
bridge-group 110
no bridge-group 110 source-learning
bridge-group 110 spanning-disabled
end
write mem
TEMPLATES ...............................................................................................................................................................411
QoS.....................................................................................................................................................................411
QoS on WAN Router (I) .................................................................................................................................................... 411
QoS on Internet Edge ...................................................................................................................................................... 412
QoS on WAN Router (II) ................................................................................................................................................... 413
QOS
BACK
WAN
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
policy-map RHG-PM-QOS
! Voice RTP enabled for LLQ (33%) and cRTP
class RHG-CM-VOICE-RTP
priority percent 33
compress header ip rtp
! Voice Control enabled for CBWFQ (5%)
class RHG-CM-VOICE-CONTROL
bandwidth percent 5
! all other traffic (Data) use best effort, WFQ, & WRED for TCP traffic
class class-default
fair-queue
random-detect dscp-based
.1 1.1.1.1
WAN
2.2.2.2 .2 10.1.2.0 /24 .1 1.1.1.1
ROUTING
BACK
ISP1 ISP2
1.1.1.117 2.2.2.61
Core
192.168.10.0 /24
192.168.20.0 /24
192.168.30.0 /24
192.168.40.0 /24
ASN 6778
192.168.10.0 /24
192.168.20.0 /24
192.168.30.0 /24
192.168.40.0 /24
ISP1: 1.1.1.117
ISP2: 2.2.2.61
OUTBOUND: this for access from our LAN/DC out to the Internet
INBOUND: this for access from the Internet into our LAN/DC
If any of the providers fail, the networks will be routed through the other provider.
interface Vlan123
description "RHG Servers"
ip address 192.168.10.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip policy route-map RHG-PBR-OUT-ISP2
Vlan10
192.168.10.1
EIGRP
DS/CS
Gi1/0/1
802.1Q
(VLAN 10)
Gi0/1
Gi0/2 AS
VLAN 10
Host
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
DS/CS
Gi1/0/1
EIGRP
10.99.100.1 /30
L3
Gi0/1
10.99.100.2 /30
Gi0/2 AS
Vlan10
VLAN 10
Host 192.168.10.1
! Configure VLAN(s)
vlan 10
name VLAN-10-USER1
! IGP routing process advertising the VLAN10 network and Interconnection network
! within AS
router eigrp 1
network 10.99.100.0 0.0.0.3
network 192.168.10.0
no auto-summary
MICROSOFT ...............................................................................................................................................................421
Change MTU on Windows 7/Vista ................................................................................................................................... 421
MSConfig ......................................................................................................................................................................... 421
APPLE/LINUX .............................................................................................................................................................422
Adding Static Routes ........................................................................................................................................................ 422
MICROSOFT
MSCONFIG